Federal Office for Information Security (BSI)

Certification Path Validation Test Tool

A Test Tool for the X.509 certification path validation

The Certification Path Validation Test Tool (CPT) is an open-source tool set that facilitates the testing of X.509 certificate path validation according to RFC 5280 in applications and libraries. Its main features are

  • generation of X.509 certificates and CRLs from an XML test specification using a generic engine,
  • a predefined test suite covering the important aspects of RFC 5280,
  • easy extension and adaption of the existing test cases for the specific requirements of an application context,
  • and additional tools for the execution of the test cases against TLS and IPsec implementations.


In digital communication X.509 certificates are used for authentication and verification of public keys. These certificates bind the public key to the identity of its owner within the setting of a public key infrastructure (PKI). The most common standard for digital certificates is X.509v3. The data formats for certificates and revocation lists and the algorithms for their processing are specified in RFC 5280. It describes in detail the steps for the validation of a certificate, the so-called certification path validation. Nevertheless, many bugs in the certification path validation of cryptography libraries have been reported in recent years. These bugs occurred due to incorrect interpretations of the standards or programming errors.

The CPT with its integrated test suite addresses these problems by allowing for the flexible generation of test data which can be used for verifying the structural correctness of the X.509 path validation implementations.

The CPT was contracted out by the German Federal Office for Information Security (BSI) to MTG AG as the main contractor and cryptosource GmbH as subcontractor. The tool is maintained by the two vendors.


The Certification Path Validation Test Tool (CPT) is available under the European Union Public Licence. Nonetheless, licences of all components have to be taken into account, in particular MIT Lizenz, CDDL and Apache 2.0 Lizenz. See Licence for a full overview.


CPT Basis Tool

The CPT Basis Tool creates the test data, i.e. the test certificates and revocation lists and runs a CRL server for downloading test CRLs during testing. In addition, there is a test specification, which describes the test suite delivered with the tool. The XML file format for the test case specification conforms to TR-03124

Tool Extensions

The extensions include a TLS test client and server based on Botan. Both use the test certificates produced by the CPT basis tool during a TLS handshake. These certificates are presented to the other peer and the result is being recorded. A web application for running the test in a browser which represents a TLS client is also included. For testing the certification path validation in IPsec applications a test tool extension based on strongSwan is provided. For using this extension the proper strongSwan version needs to be downloaded separately and modified with the supplied patch.

Tools for testing cryptography libraries

For testing the certification path validation in cryptography libraries two additional tools exist. The first one tests the native libraries Botan, mbedTLS, and OpenSSL. The second one tests the implementation of any Java JCA/JCE conform cryptography provider. The libraries under test need to be downloaded and installed separately for each tool.


The Certification Path Validation Test Tool and all extensions are also available on GitHub:


Test Specification and User Documentation

Report on Findings for the CPT

In the context of the development of the Certification Path Validation Test Tool selected cryptography libraries and applications that implement certification path validation were tested using the default test suite of the CPT. A survey of the results can be found in
Report on Findings for the Certification Path Validation Test Tool


For general questions on CPT


For technical questions on CTP

Dr. Vangelis Karatsiolis
Dr. Falko Strenzke
cryptosource GmbH