2025-05-27
In this episode, Keyfactor's Sven Rajala welcomes Mike Kushner, a seasoned PKI engineer and contributor to open-source tooling, to explore the topic of linting in the world of digital certificates. Together, they demystify what "linting" means for PKI and how it helps ensure strong, standards-compliant certificates—before they are ever issued. They explore how linters help prevent certificate misissuance by checking compliance with standards before issuance and how this practice—borrowed from the public web PKI world—is increasingly valuable in enterprise and private PKI environments.
While "lint" typically refers to dryer fluff, in PKI, it's a crucial last-minute check applied to certificates before issuance. Linters serve to validate that certificate profiles align with established policies and standards, effectively acting as a safeguard against misissuance.
Linting ensures that specific attributes like keys and extensions conform to internal or industry policies. Originating from web trust and CA/B Forum contexts, where certificate mis-issuance can have severe consequences, linting tools have evolved to become essential components in both public and private PKI environments.
A notable development in the space is PKI Metal, an open-source project that consolidates multiple known linters into a single containerized tool. It can lint certificates, keys, and even OCSP responses against standard profiles and provide warnings or errors. This simplifies what was previously a fragmented process requiring multiple scripts. PKI Metal also checks for known vulnerabilities, such as Debian weak keys or non-compliant RSA configurations.
While linting is a mainstay in public PKI, its benefits extend to private environments too, especially for organizations adhering to strict issuance policies. CAB Forum guidelines, written “in blood” from past mistakes, are generally considered good practice even for enterprise use cases.
PKI Metal supports standard profiles like RFC 5280 and S/MIME, and because it’s open-source, users can fork or contribute custom linters tailored to their organization's needs. For example, a company might enforce additional rules, like publishing to an LDAP directory, and build a linter to verify that process.
Containerization adds a layer of flexibility and security, enabling integration with CA systems like EJBCA without requiring direct script execution on the CA host—something that can be less secure or harder to manage in cloud-native or distributed deployments.
Some systems like Microsoft’s Certificate Enrollment Web Services (CEP/CES) have limitations—e.g., they don’t support version 4 certificate templates or may require elevated admin privileges for template management.
Currently, post-quantum cryptography (PQC) linting is not broadly supported, but it is anticipated to gain traction as the industry evolves in 2025.