.png){kind=logo}
A Java CLI tool can be used to check the validity of a certificate from scripts. The tool supports a clustered SignServer installation using the "Use first host that response OK" policy.
When compiling, make sure that validationclient.enabled is set to true in the build properties. The client is lib/SignServer-Client-ValidationCLI.jar.
Use the client with:
bin/signclient validatecertificate <options>
The following options are available:
|
Required |
Description |
|---|---|
|
-cert <cert-file> |
Path to certificate file (DER or PEM). Required. |
|
-hosts <hosts> |
A comma-separated string containing the hostnames of the validation service nodes. For example, 'host1.someorg.org,host2.someorg.org'. Required. |
|
-service <service-name> |
The name or ID of the validation service to process request. Required. |
|
Optional |
Description |
|
-certpurposes <certpurposes> |
A comma-separated string containing requested certificate purposes. |
|
-der |
Certificate is in DER format. |
|
-help |
Displays this information. |
|
-pem |
Certificate is in PEM format. (Default) |
|
-port <port> |
Remote port of service. (Default is 8080 or 8442 for SSL) |
|
-silent |
Does not produce any output. Only returns a value. |
|
-truststore <jks-file> |
Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections) |
|
-truststorepwd <password> |
Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections) |
The following return values are used:
-2 : Error happened during execution
-1 : Bad arguments
0 : Certificate is valid
1 : Certificate is revoked
2 : Certificate is not yet valid
3 : Certificate has expired
4 : Certificate does not verify
5 : CA Certificate has been revoked
6 : CA Certificate is not yet valid
7 : CA Certificate has expired
8 : Certificate has no valid certificate purpose