Post Processing Validators

To validate issuance based on other certificate values after the certificate (or eventual pre-certificate) has been generated but not issued, stored and published, use the External Command Certificate Validator.

Validator Types

External Command Certificate Validator

With this validator an external script can be called for the generated certificate. The exit code of the external call determines if the validation has failed. This can be used not only to validate certificate criteria, but also to call other external commands or scripts. The user running EJBCA's application server requires the OS file system permissions to do so.

To be able to view and edit the External Script Validator, access to external scripts must be enabled by activating Enable External Script Access under System Configuration>External Scripts. For more information, see External Scripts.

The first token of the External command field must be the external command or script called, followed by its arguments, all separated by spaces. The certificate is stored as a temporary file on the EJBCA server, and its full path is used as first argument. All subsequent arguments are shifted to the right. If the placeholder %cert% is used as an argument at any position, the certificate is not stored on the EJBCA server file system. Instead the placeholder is removed and the PEM encoded certificate is fed to the external command or script via STDIN.

The platform for MS Windows and Unix/Linux is auto-detected and the default shell command and shell options are set:

  • MS Windows: cmd.exe /C

  • Unix/Linux: /bin/sh -c

The following displays examples of external commands for Unix/Linux platforms:

$ /usr/local/opt/ -param1 -param2
$ /usr/local/opt/ -param1 -param2 %cert%
$ openssl x509 -text -noout -in %cert%

Script Whitelisting

An administrator can restrict which scrips can be executed for security reasons, by configuring a whitelist on the System Configuration External scripts tab. The whitelist should contain a list of paths to all scripts allowed to be executed by the External Command Certificate Validator. If the whitelist is enabled by an administrator, any execution of scripts not explicitly listed on the whitelist is prevented by EJBCA.

If the External Scripts Whitelist has been enabled by an administrator and a Validator tries to execute a command which is not on the whitelist, the "Validator was not applicable" action is carried out.

The format of the whitelist is as follows: Each line contains the full path of the whitelisted script. Lines beginning with the character # are treated as comments. The whitelist can contain any number of scripts. An empty (enabled) whitelist will effectively block execution of all external scripts.

The following displays and example of a syntactically valid whitelist:

# -----------------------------------------------------------------------
# This is an example, this configuration does not necessarily make sense
# -----------------------------------------------------------------------
# X.509 Certificate Linter by Amazon 
# X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280 

This whitelist allows the three scripts /opt/certlint/certlint, /opt/certlint/cablint, and /opt/scripts/ to be executed. There is no restriction on the parameters which can be given as input to these scripts. Any input validation should be done in the script itself.