Skip to content

RootCertificate Validator

certmonitor.validators.root_certificate_validator.RootCertificateValidator

Bases: BaseCertValidator

A validator for checking if the SSL certificate is issued by a trusted root CA.

Attributes:

Name Type Description
name str

The name of the validator.

name class-attribute instance-attribute 

name: str = 'root_certificate'

validate 

validate(cert: Dict[str, Any], host: str, port: int) -> Dict[str, Any]

Validates if the SSL certificate is issued by a trusted root CA.

Parameters:

Name Type Description Default
cert dict

The SSL certificate.

 required
host str

The hostname (not used in this validator).

 required
port int

The port number (not used in this validator).

 required

Returns:

Name Type Description
dict Dict[str, Any]

A dictionary containing the validation results, including whether the certificate is valid, and any warnings or reasons for validation failure.

Examples:

Example output (success): This example shows a certificate that is signed by a trusted root CA, so validation passes and no warnings are present.

{
  "is_valid": true,
  "issuer": {
    "commonName": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
    "organizationName": "DigiCert Inc"
  },
  "warnings": []
}

Example output (failure): This example shows a certificate that is not signed by a trusted root CA, so validation fails and warnings are included.

{
  "is_valid": false,
  "issuer": {
    "commonName": "Unknown",
    "organizationName": "Unknown"
  },
  "warnings": [
    "Certificate does not provide OCSP information.",
    "Certificate does not provide caIssuers information.",
    "Certificate is self-signed.",
    "The certificate is issued by an untrusted root CA: Unknown (Unknown)"
  ]
}
Source code in certmonitor/validators/root_certificate_validator.py 
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
def validate(self, cert: Dict[str, Any], host: str, port: int) -> Dict[str, Any]:
    """
    Validates if the SSL certificate is issued by a trusted root CA.

    Args:
        cert (dict): The SSL certificate.
        host (str): The hostname (not used in this validator).
        port (int): The port number (not used in this validator).

    Returns:
        dict: A dictionary containing the validation results, including whether the certificate is valid,
              and any warnings or reasons for validation failure.

    Examples:
        Example output (success):
            This example shows a certificate that is signed by a trusted root CA, so validation passes and no warnings are present.

            {
              "is_valid": true,
              "issuer": {
                "commonName": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
                "organizationName": "DigiCert Inc"
              },
              "warnings": []
            }

        Example output (failure):
            This example shows a certificate that is not signed by a trusted root CA, so validation fails and warnings are included.

            {
              "is_valid": false,
              "issuer": {
                "commonName": "Unknown",
                "organizationName": "Unknown"
              },
              "warnings": [
                "Certificate does not provide OCSP information.",
                "Certificate does not provide caIssuers information.",
                "Certificate is self-signed.",
                "The certificate is issued by an untrusted root CA: Unknown (Unknown)"
              ]
            }
    """
    cert_info = cert.get("cert_info", {})
    issuer = cert_info.get("issuer", {})
    subject = cert_info.get("subject", {})
    common_name = issuer.get("commonName", "Unknown")
    organization_name = issuer.get("organizationName", "Unknown")

    # Check for presence of OCSP and caIssuers fields
    has_ocsp = bool(cert_info.get("OCSP"))
    has_ca_issuers = bool(cert_info.get("caIssuers"))

    # Check if issuer information is missing or empty
    has_valid_issuer = bool(
        issuer and (issuer.get("commonName") or issuer.get("organizationName"))
    )

    # Check if the certificate is self-signed
    # A certificate is self-signed if issuer == subject AND both are not empty
    # OR if both issuer and subject are empty (which is also invalid/suspicious)
    is_self_signed = (issuer == subject) and (
        issuer != {} or (issuer == {} and subject == {})
    )

    # Heuristic check: If the issuer's common name or organization name contains 'Untrusted', flag it
    is_trusted = (
        has_valid_issuer
        and (has_ocsp and has_ca_issuers)
        and not is_self_signed
        and (
            "untrusted" not in common_name.lower()
            and "untrusted" not in organization_name.lower()
        )
    )

    warnings = []
    if not has_valid_issuer:
        warnings.append("Certificate does not have valid issuer information.")
    if not has_ocsp:
        warnings.append("Certificate does not provide OCSP information.")
    if not has_ca_issuers:
        warnings.append("Certificate does not provide caIssuers information.")
    if is_self_signed:
        warnings.append("Certificate is self-signed.")
    if not is_trusted:
        warnings.append(
            f"The certificate is issued by an untrusted root CA: {organization_name} ({common_name})"
        )

    return {
        "is_valid": is_trusted,
        "issuer": issuer,
        "warnings": warnings,
    }