A Java CLI tool can be used to check the validity of a certificate from scripts. The tool supports a clustered SignServer installation using the "Use first host that response OK" policy.

When compiling, make sure that the setting validationclient.enabled is set to true in the build properties. The client is lib/SignServer-Client-ValidationCLI.jar.

Use the client with:

bin/signclient validatecertificate <options>
CODE


The following options are available:

OptionDescription
-cert <cert-file>Path to certificate file (DER or PEM). (Required).
-certpurposes <certpurposes>A comma-separated string containing requested certificate purposes.
-derCertificate is in DER format.
-helpDisplays this information.
-hosts <hosts>A comma-separated string containing the hostnames of the validation service nodes. For example,  'host1.someorg.org,host2.someorg.org'. (Required).
-pemCertificate is in PEM format. (Default).
-port <port>Remote port of service .(Default is 8080 or 8442 for SSL).
-service <service-name>The name or ID of the validation service to process request. (Required).
-silentDo not produce any output, only return value.
-truststore <jks-file>Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections)
-truststorepwd <password>Path to JKS truststore containing trusted CA for SSL Server certificates.(for HTTPS connections)

The following return values are used:

-2 : Error happened during execution
-1 : Bad arguments
0 : Certificate is valid
1 : Certificate is revoked
2 : Certificate is not yet valid
3 : Certificate has expired
4 : Certificate does not verify
5 : CA Certificate has been revoked
6 : CA Certificate is not yet valid
7 : CA Certificate has expired
8 : Certificate has no valid certificate purpose