Key Validators validate the quality of keys, foremost as a result of incoming CSRs. The following covers the different types of Key Validators, RSA Key Validator, ECC Key Validator, and Block List Key Validator, and also lists common Key Validator settings.
Key Validator Types
RSA Key Validator
The RSA Key Validator inspects RSA key parameters and validates key quality beyond key length and size. This key validator can enforce the CA/B-Forum requirements (CA/B Forum Baseline requirements version 1.4.2 section 6.1.6), including FIPS 186-4 and NIST (SP 800-89 and NIST SP 56A: Revision 2), on RSA public keys, and also have options to perform the following tests on the RSA exponent and modulus:
- That the value of the public exponent is an odd number equal to 3 or more.
- That the public exponent is in the range between 2^16+1 and 2^256-1.
- That the modulus is an odd number, not the power of a prime, and have no factors smaller than 752.
- That the public key is not a ROCA weak key (CVE-2017-15361).
ECC Key Validator
The ECC Key validator inspects the full public key validation (NIST SP 56A) routine on ECC keys.
Block List Key Validator
This validator compares public keys against a block list of known bad public keys, such as weak Debian keys.
The block list is empty by default and must be filled manually.
The public key block listed entries can be added using the CLI:
bin/ejbca.sh ca updatepublickeyblocklist add <directory of block listed public keys>
where the directory contains public key files in PEM format. If you have a list of PEM formatted private keys, you can create the public key entries, and CSRs to test with using these commands:
openssl req -key blocklisted-privatekey.pem -out blocklisted.csr -new openssl rsa -in blocklisted-privatekey.pem -pubout > tmp/blocklisted-publickey.pem
You can import a block list fingerprint file (a file with one block list fingerprint per line) with:
bin/ejbca.sh ca updatepublickeyblocklist add <directory where block list fingerprint file resides> --mode fingerprint
- RSA keys, the SHA-256 hash of the RSA key modulus bytes (ignoring the fixed value e).
- ECDSA keys, the SHA-256 hash of the binary public key encoding (SubjectPublicKeyInfo).
To import one of the lists of weak Debian keys provided by the Debian maintainers, use
bin/ejbca.sh ca updatepublickeyblocklist add <directory where debian block lists reside> --mode debianfingerprint
You can also remove fingerprints using the fingerprint file:
bin/ejbca.sh ca updatepublickeyblocklist remove <directory where block list fingerprint file resides> --mode fingerprint
For more information on Debian weak key checks, see Post Processing Validators.
Common Key Validator Settings
Certificate Validity Not Before
|Only perform validation if certificate validity NotBefore matches the condition, i.e. is less than or greater than the given date. If no date is set, this condition is not used. Date in the format 2017-02-28 will for example only validate certificates valid from the 28th of February 2017.|
Certificate Validity Not After
Only perform validation if certificate validity NotAfter matches the condition.
The format of the date entered is 'yyyy-MM-dd [HH:mm:ss]', for example 2022-08-25 for the 25th of August 2022, or if you want to specify a time '2022-08-25 14:50:55'. The displayed date is converted to the server's timezone, and you can specify timezone as well '2022-08-25 14:50:55-0000' for UTC.