--- title: "The manage-certificates check-certificate-usability subcommand" description: The manage-certificates tool offers a check-certificate-usability subcommand that can be used to examine a specified entry in a key store and identify any potential problems with it that might interfere with secure communication. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_manage_cert_check_cert canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_manage_cert_check_cert.html revdate: September 13, 2023 --- # The `manage-certificates check-certificate-usability` subcommand The `manage-certificates` tool offers a `check-certificate-usability` subcommand that can be used to examine a specified entry in a key store and identify any potential problems with it that might interfere with secure communication. Some of the things it checks include: * It makes sure the specified entry in the key store includes a private key and a complete certificate chain. * It checks whether the certificate at the root of the chain is found in the JVM's default set of trusted certificates. * It makes sure that the current time is within the validity window for all of the certificates in the chain. * It validates the signatures for all certificates in the chain. * It warns if the end-entity certificate is self-signed. * It warns if the end-entity certificate does not contain an extended key usage extension with the "serverAuth" usage. * It warns if any of the issuer certificates does not have a key usage extension with the "keyCertSign" usage. * It warns if any of the issuer certificates does not have a basic constraints extension indicating that it can operate as a certification authority. It reports an error if the chain violates a path length constraint. * It ensures that the signature algorithm uses a strong message digest algorithm, like SHA-256. It reports an error for weak digest algorithms like MD5 or SHA-1, and a warning for unrecognized digest algorithms. * It ensures that none of the certificates using an RSA key pair have a key size less than 2048 bits. The following example demonstrates the usage for this command and its output when no problems are identified. ```shell $ bin/manage-certificates check-certificate-usability \ --keystore config/keystore \ --keystore-password-file config/keystore.pin \ --alias server-cert Successfully retrieved the certificate chain for alias 'server-cert': Subject DN: CN=ds1.example.com,O=Example Corp,C=US Issuer DN: CN=Example Intermediate CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:44 PM CST (5 minutes, 45 seconds ago) Validity End Time: Wednesday, November 11, 2020 at 03:52:44 PM CST (364 days, 23 hours, 54 minutes, 14 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (2048-bit) SHA-1 Fingerprint: 84:e4:00:b9:f0:6b:58:bb:ac:67:79:28:2f:43:9f:e3:ac:24:ee:98 SHA-256 Fingerprint: 63:85:4d:2c:50:ea:a8:84:54:e0:73:9a:e7:5b:e7:1b:06:85:0e:28:2b:76:a9:8b:57:fc:27:f7:60:81:48:41 Subject DN: CN=Example Intermediate CA,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:42 PM CST (5 minutes, 47 seconds ago) Validity End Time: Monday, November 7, 2039 at 03:52:42 PM CST (7299 days, 23 hours, 54 minutes, 12 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (4096-bit) SHA-1 Fingerprint: de:da:3d:fc:d4:1f:67:79:0a:a1:5a:cd:ca:4a:7e:a5:d3:46:88:27 SHA-256 Fingerprint: 02:3c:af:ad:b7:07:81:89:45:48:d0:09:31:a8:90:c4:17:11:1c:00:11:fd:49:b2:2c:ba:ac:dd:c4:9f:03:36 Subject DN: CN=Example Root CA,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Tuesday, November 12, 2019 at 03:52:38 PM CST (5 minutes, 51 seconds ago) Validity End Time: Monday, November 7, 2039 at 03:52:38 PM CST (7299 days, 23 hours, 54 minutes, 8 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with RSA Public Key Algorithm: RSA (4096-bit) SHA-1 Fingerprint: 8e:03:e4:58:e6:e3:59:9a:55:77:c0:88:3c:fa:d7:29:f4:ff:de:6c SHA-256 Fingerprint: 95:54:0d:e2:aa:48:29:c1:25:7c:20:69:c0:27:33:31:81:07:02:2e:00:24:ae:49:5e:98:bd:a3:72:a5:05:26 OK: The certificate chain is complete. Each subsequent certificate is the issuer for the previous certificate in the chain, and the chain ends with a self-signed certificate. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a valid signature. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' will expire at Wednesday, November 11, 2020 at 03:52:44 PM CST (364 days, 23 hours, 54 minutes, 14 seconds from now), which is not in the near future. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' will expire at Monday, November 7, 2039 at 03:52:42 PM CST (7299 days, 23 hours, 54 minutes, 12 seconds from now), which is not in the near future. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' will expire at Monday, November 7, 2039 at 03:52:38 PM CST (7299 days, 23 hours, 54 minutes, 8 seconds from now), which is not in the near future. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' at the head of the chain includes an extended key usage extension, and that extension includes the serverAuth usage. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' includes a basic constraints extension, and the certificate chain satisfies those constraints. OK: Issuer certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' includes a key usage extension with the keyCertSign usage flag set to true. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes a basic constraints extension, and the certificate chain satisfies those constraints. OK: Issuer certificate 'CN=Example Root CA,O=Example Corp,C=US' includes a key usage extension with the keyCertSign usage flag set to true. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' uses a signature algorithm of 'SHA-256 with RSA', which is is considered strong. OK: Certificate 'CN=ds1.example.com,O=Example Corp,C=US' has a 2048-bit RSA public key, which is considered strong. OK: Certificate 'CN=Example Intermediate CA,O=Example Corp,C=US' has a 4096-bit RSA public key, which is considered strong. OK: Certificate 'CN=Example Root CA,O=Example Corp,C=US' has a 4096-bit RSA public key, which is considered strong. No usability errors or warnings were identified while validating the certificate chain. ``` If any usability issues are identified, they might be responsible for the communication problems.