#KEYMASTER: What is Linting in the PKI World?
2025-05-27
In this episode, Keyfactor's Sven Rajala welcomes Mike Kushner, a seasoned PKI engineer and contributor to open-source tooling, to explore the topic of linting in the world of digital certificates. Together, they demystify what "linting" means for PKI and how it helps ensure strong, standards-compliant certificates—before they are ever issued. They explore how linters help prevent certificate misissuance by checking compliance with standards before issuance and how this practice—borrowed from the public web PKI world—is increasingly valuable in enterprise and private PKI environments.
While "lint" typically refers to dryer fluff, in PKI, it's a crucial last-minute check applied to certificates before issuance. Linters serve to validate that certificate profiles align with established policies and standards, effectively acting as a safeguard against misissuance.
Linting ensures that specific attributes like keys and extensions conform to internal or industry policies. Originating from web trust and CA/B Forum contexts, where certificate mis-issuance can have severe consequences, linting tools have evolved to become essential components in both public and private PKI environments.
A notable development in the space is PKI Metal, an open-source project that consolidates multiple known linters into a single containerized tool. It can lint certificates, keys, and even OCSP responses against standard profiles and provide warnings or errors. This simplifies what was previously a fragmented process requiring multiple scripts. PKI Metal also checks for known vulnerabilities, such as Debian weak keys or non-compliant RSA configurations.
Learn more:
Why Limit Certificates?
- Security: Limiting certificate lifetimes reduces the window of opportunity for attackers to exploit compromised certs.
- Control: Certificate policies allow organizations to manage what certificates are issued and for what purposes.
- Compliance: Industry standards often mandate certificate restrictions.
- Resource Management: Limitations help prevent abuse and manage CA infrastructure resources.
While linting is a mainstay in public PKI, its benefits extend to private environments too, especially for organizations adhering to strict issuance policies. CAB Forum guidelines, written “in blood” from past mistakes, are generally considered good practice even for enterprise use cases.
Common restrictions used in Certificate profiles
- Validity Periods: Certificates expire after a defined time (e.g., 398 days for TLS certs per Apple policy).
- Issuance Policies: Define allowed subject names, key types, extensions, etc.
- Domain Restrictions: Limit certificates to specific domains or subdomains.
- Algorithm Restrictions: Restrict to only secure key types (e.g., no MD5 or weak RSA).
- Rate Limits: Some providers like Let’s Encrypt cap certificate issuance per domain.
- Cloud CA Limits: AWS, for example, limits ACM certificates to 2500 per account, 10 domains per cert.
PKI Metal supports standard profiles like RFC 5280 and S/MIME, and because it’s open-source, users can fork or contribute custom linters tailored to their organization's needs. For example, a company might enforce additional rules, like publishing to an LDAP directory, and build a linter to verify that process.
Containerization adds a layer of flexibility and security, enabling integration with CA systems like EJBCA without requiring direct script execution on the CA host—something that can be less secure or harder to manage in cloud-native or distributed deployments.
Certificate Enrollment Limits
Some systems like Microsoft’s Certificate Enrollment Web Services (CEP/CES) have limitations—e.g., they don’t support version 4 certificate templates or may require elevated admin privileges for template management.
Currently, post-quantum cryptography (PQC) linting is not broadly supported, but it is anticipated to gain traction as the industry evolves in 2025.
More about Linting with EJBCA
Related resources
#KEYMASTER: About Ephemeral and Short-Lived Certificates