Draft:Pkimetal

Submission declined on 14 May 2025 by KylieTastic (talk). This submission is not adequately supported by reliable sources. Reliable sources are required so that information can be verified. If you need help with referencing, please see Referencing for beginners and Citing sources. This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are: in-depth (not just passing mentions about the subject) reliable secondary independent of the subject Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by KylieTastic 2 months ago. Last edited by KylieTastic 2 months ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

pkimetal (short for PKI Meta-Linter) is an open-source software project developed by Sectigo to streamline pre-issuance and post-issuance linting of public key infrastructure (PKI) artifacts. It serves as an orchestration layer that integrates multiple third-party linters via a unified REST API interface, allowing Certificate Authorities (CAs) to comply with the CA/Browser Forum's technical requirements and improve certificate issuance hygiene.

Linters are software tools that inspect digital certificates and related PKI artifacts (e.g., CRLs, OCSP responses) to ensure conformance with industry standards like RFC 5280, CA/Browser Forum Baseline Requirements, and root program policies. However, most existing linters are implemented in different programming languages and offer inconsistent interfaces, which complicates their integration into CA workflows.

pkimetal addresses this issue by acting as a "meta-linter"—it interfaces with various independently developed linters and unifies their outputs, reducing the effort required to deploy and manage linting tools.

• Supports multiple input types: Certificates, Precertificates, CRLs, and OCSP responses
• Handles both signed and to-be-signed artifacts for pre-issuance and post-issuance use
• Auto-detects input profiles and selects appropriate lints
• Integrates with multiple open-source linters (e.g., ZLint, certlint, x509lint, pkilint)
• Supports special-purpose linters for detecting weak keys, encoding issues, and compromised keys (e.g., dwklint, badkeys, pwnedkeys)
• Optimized for performance and scalability; up to 20× faster than single-call linting pipelines
• Fully containerized via Docker, with public instances available for testing

The project was created by Rob Stradling, Distinguished Engineer at Sectigo and also the creator of crt.sh. It is currently maintained by Stradling and Martijn Katerbarg. pkimetal is released under the GNU General Public License (GPL-3.0) and is open to contributions from the wider PKI community.

A formal announcement of pkimetal was made by Sectigo in September 2024.^[1]

Sectigo maintains two public instances:

• Stable – Recommended for evaluation purposes
• Development – Tracks the latest commits from the main branch

Use in production environments is discouraged due to CA/Browser Forum constraints around relying on third-party hosted infrastructure for certificate validation.

Known integrations and users include:

• Sectigo (for internal pre-issuance linting)
• crt.sh (on-demand certificate linting)
• EJBCA (as a post-processing validator)
• Let's Encrypt (used in CI pipelines)

• Public key infrastructure
• Certificate Authority
• CA/Browser Forum
• crt.sh

• Official pkimetal service
• pkimetal on GitHub
• Sectigo official website
• Root Causes Podcast Episode 417