--- title: About manage-certificates check-certificate-usability description: The manage-certificates tool offers a check-certificate-usability subcommand to examine a specified entry in a key store and to identify potential issues that might interfere with secure communication. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_manage_certs_check_cert canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_manage_certs_check_cert.html revdate: July 29, 2022 --- # About manage-certificates check-certificate-usability The `manage-certificates` tool offers a `check-certificate-usability` subcommand to examine a specified entry in a key store and to identify potential issues that might interfere with secure communication. The `check-certificate-usability` tool completes the following tasks: * Ensures that a specified entry in the key store includes a private key and a complete certificate chain * Checks whether the certificate at the root of the chain is found in the Java virtual machine's (JVM's) default set of trusted certificates * Ensures that the current time lies is within the validity window for all certificates in the chain * Validates the signatures for all certificates in the chain * Warns if the end-entity certificate is self-signed * Warns if the end-entity certificate does not contain an extended key usage extension with the `serverAuth` usage * Warns if the issuer certificates do not have a key usage extension with the `keyCertSign` usage * Warns if the issuer certificates do not have a basic constraints extension indicating that it can operate as a certification authority If the chain violates a path length constraint, the `check-certificate-usability` tool reports an error. * Ensures that the signature algorithm uses a strong message digest algorithm, like SHA-256 The `check-certificate-usability` tool reports an error for weak digest algorithms like MD5 or SHA-1, and reports a warning for unrecognized digest algorithms. * Ensures that none of the certificates that use an RSA key pair have a key size less than 2048 bits The following example demonstrates the usage for the `manage-certificates check-certificate-usability` command and its output when no problems are identified. ```shell $ bin/manage-certificates check-certificate-usability \ --keystore config/keystore \ --keystore-password-file config/keystore.pin \ --alias server-cert Successfully retrieved the certificate chain for alias 'server-cert': Subject DN: CN=ds1.example.com,O=Example Corp,C=US Issuer DN: CN=Example Intermediate CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:44 PM CST (5 minutes, 45 seconds ago) Validity End Time: Wednesday, November 11, 2020 at 03:52:44 PM CST (364 days, 23 hours, 54 minutes, 14 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (2048-bit) SHA-1 Fingerprint: 84:e4:00:b9:f0:6b:58:bb:ac:67:79:28:2f:43:9f:e3:ac:24:ee:98 SHA-256 Fingerprint: 63:85:4d:2c:50:ea:a8:84:54:e0:73:9a:e7:5b:e7:1b:06:85:0e: 28:2b:76:a9:8b:57:fc:27:f7:60:81:48:41 Subject DN: CN=Example Intermediate CA,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:42 PM CST (5 minutes, 47 seconds ago) Validity End Time: Monday, November 7, 2039 at 03:52:42 PM CST (7299 days, 23 hours, 54 minutes, 12 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (4096-bit) SHA-1 Fingerprint: de:da:3d:fc:d4:1f:67:79:0a:a1:5a:cd:ca:4a:7e:a5:d3:46:88:27 SHA-256 Fingerprint: 02:3c:af:ad:b7:07:81:89:45:48:d0:09:31:a8:90:c4:17:11:1c:00:11:fd:49:b2:2c: ba:ac:dd:c4:9f:03:36 Subject DN: CN=Example Root CA,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:38 PM CST (5 minutes, 51 seconds ago) Validity End Time: Monday, November 7, 2039 at 03:52:38 PM CST (7299 days, 23 hours, 54 minutes, 8 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (4096-bit) SHA-1 Fingerprint: 8e:03:e4:58:e6:e3:59:9a:55:77:c0:88:3c:fa:d7:29:f4:ff:de:6c SHA-256 Fingerprint: 95:54:0d:e2:aa:48:29:c1:25:7c:20:69:c0:27:33:31:81:07:02: 2e:00:24:ae:49:5e:98:bd:a3:72:a5:05:26 OK: The certificate chain is complete. Each subsequent certificate is the issuer for the previous certificate in the chain, and the chain ends with a self-signed certificate. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' will expire at Wednesday, November 11, 2020 at 03:52:44 PM CST (364 days, 23 hours, 54 minutes, 14 seconds from now), which is not in the near future. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' will expire at Monday, November 7, 2039 at 03:52:42 PM CST (7299 days, 23 hours, 54 minutes, 12 seconds from now), which is not in the near future. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' will expire at Monday, November 7, 2039 at 03:52:38 PM CST (7299 days, 23 hours, 54 minutes, 8 seconds from now), which is not in the near future. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' at the head of the chain includes an extended key usage extension, and that extension includes the serverAuth usage. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' includes a basic constraints extension, and the certificate chain satisfies those constraints. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' includes a key usage extension with the keyCertSign usage flag set to true. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes a basic constraints extension, and the certificate chain satisfies those constraints. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes a key usage extension with the keyCertSign usage flag set to true. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a 2048-bit RSA public key, which is considered strong. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a 4096-bit RSA public key, which is considered strong. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a 4096-bit RSA public key, which is considered strong. No usability errors or warnings were identified while validating the certificate chain. ``` If any usability issues are identified, they might be responsible for communication problems.