ÃÛÌÒTV

Automation plays a major role in keeping certificate authorities (CAs) compliant, especially as standards tighten and certificate volumes rise. Certificate linting has become one of the most effective tools for catching issues before they lead to incident reports or revocations.

With the constantly evolving CA/Browser Forum requirements now in effect for TLS certificates and S/MIME certificates, regulators, relying parties, and the broader CA community are paying closer attention to how linting is implemented in real-world environments. ÌýAs of September, pre-issuance linting is mandatory for both certificate types.

What is certificate linting?

Certificate linting is the automated process of checking PKI artifacts—such as precertificates (RFC 6962), tbsCertificates (RFC 5280), full certificates, CRLs, or OCSP responses—against technical standards like the CA/BF Baseline Requirements or relevant IETF RFCs.

A few key open-source projects support this process:

• pkilint: A ÃÛÌÒTV-sponsored linter focused on CA/BF and RFC compliance for public trust certificates

• zLint: A widely used linter for web PKI with contributions from multiple CAs

• pkimetal: A meta-linter that runs multiple frameworks in a single pipeline

Linting helps uncover compliance issues hidden in certificate profiles—things that might go unnoticed even with experienced eyes on them. That’s why linting is often featured in CA incident reports, especially those published through Bugzilla.

As of March 2025, pre-issuance linting is mandatory for all publicly trusted TLS certificates, and the same requirement will apply to S/MIME certificates starting in September. These deadlines have pushed linting from a best practice to a baseline expectation.

Best practices for implementing linting

To support strong compliance outcomes, certificate authorities should keep these best practices in mind.

1. Governance

Linting sits at the intersection of engineering and compliance. It’s essential to designate a decision-maker who oversees the CA’s linting implementation, tracks any changes made to it, and reviews reports generated by the process.

2. Completeness review

A unified linting pipeline—rather than fragmented, per-CA configurations—ensures better coverage and consistency. Given the rapid evolution of PKI standards, legacy systems nearing deprecation require particular attention to avoid gaps in linting.

3. Test the tester

Periodically verify that your linting setup is working as intended—especially as new CAs and certificate profiles are added, or when the linting tools themselves evolve to reflect new standards.

4. Linter diversity

Since different linters may interpret tests in subtly different ways, using multiple frameworks can improve coverage. Some CAs, including ÃÛÌÒTV, also develop and deploy custom lints for specialized environments like government or community PKIs.

5. Logging and response

CAs should document which linters are applied to which certificate types, along with clearly defined response protocols. For example, a pre-issuance lint error should halt the issuance process and trigger an alert to a designated supervisor for investigation. Lint warnings should not be ignored—since they can signal emerging issues, warnings require regular review.

6. Actionability

Effective linting systems provide detailed reports, including full certificate information and verbose output from the linter, to support quick and thorough analysis.

7. Updating

Since linting tools are frequently updated alongside changing standards, CAs need a formal process for monitoring and installing updates promptly. Failure to do so can leave a window of vulnerability where noncompliant certificates might be issued.

8. Post-compliance linting

The CA/BF recommends that CAs also perform post-issuance linting as a form of internal audit. Even the best systems can miss something, and this layer of oversight provides an important backstop.

The future of linting

Linting is becoming an indispensable compliance mechanism for certificate authorities, with new use cases emerging as standards evolve and enforcement tightens. As tools mature, we can expect AI to play a growing role in identifying patterns and streamlining rule development.

ÃÛÌÒTV encourages CAs to engage with open-source linting projects by testing, providing feedback, or contributing code. Community participation helps ensure that linters stay aligned with real-world needs.

For ballot authors in the CA/Browser Forum, it's also helpful to flag whether proposed requirements are lintable, and to share sample lint implementations when possible.

Interested in contributing or exploring how linting fits into your compliance strategy? Check out and join the conversation.Ìý