Certificate Profile Conformance Tool

What is the Certificate Profile Conformance Tool (CPCT)?

CPCT instantly analyzes certificates for conformance to a specific profile document and certificate profile. Results show pass or fail status for the certificate content and a brief explanation for failures. You can also download the test report as an .xls or .pdf.

Who Needs CPCT?

If you need to analyze Federal PKI certificates for conformance to certificate profiles, then CPCT can help you. The following organizations will find CPCT especially useful:

  • Agencies and organizations that submit FPKI Annual Review Packages
    Test your certificates and take corrective actions before submitting certificate samples.
  • Certificate Issuers
    Use CPCT to analyze certificates as part of a Quality Assurance process.

How Does This Work?

In-depth experience with Federal PKI certificates and certificate profiles is recommended.

The key steps are:

  • You select the Profile Document, Document Version, and Certificate Profile related to a certificate and then upload the certificate.
  • You receive the certificate's test results.
  • You can choose to download a test report in Microsoft Excel or Adobe PDF formats.

Usage Details

1. Certificate Profile Selection

Specify the certificate profile you want to test using the drop-list selections.
  • Profile Document - Select the relevant FPKI Profile Document
    • Common Policy SSP Program1
    • Federal PKI/Federal Bridge2
    • PIV Interoperable (PIV-I).3
  • Document Version - The most recent version available is automatically selected when you select the Profile Document.
  • Certificate Profile - Select the type of certificate you will test. For example, PIV Authentication.

2. Upload a Certificate

  1. Upload a certificate (.crt, .pem, .cer, or .der) using either of these options:
  • Drag-and-drop your certificate to anywhere on the CPCT main screen. The Test Results display for the uploaded certificate.
  • Click the Upload Certificate button and browse to the certificate. Click it, and then click Open. The Test Results display for the uploaded certificate.

3. Review Certificate Test Results

The status banner will be green (certificate conforms) or red (doesn't conform) and will give a test summary:

  • Tested [n] fields: No Problems detected
  • Tested [n] fields: [m] problems detected

The Test Results columns provide the following:

  • Field - Types of fields and extensions in the certificate.
  • Content - Field and extension content.
  • Analysis - Displays a checkmark for "PASS" or state "FAIL" (with explanation) for each field and extension.

4. Download a Test Report

  • To download a Test Report, click the XLS or PDF button below the status banner.


Certificate Failures

  • Please check to ensure that the right Profile Document, Document Version, and Certificate Profile have been selected.
  • If you have questions about why a certificate failed, or you believe the analysis could be an error please contact us.

Application Error Messages

  • You can't upload files of this type. The permitted file extensions are: .crt, .cer, .pem, and .der.

What If I Can't Resolve an Issue?

  • GitHub - Create an issue in the CPCT Repository and attach the certificate. (You will need a GitHub account to do this: Join GitHub.)
  • Email us - fpki@gsa.gov and attach your certificate. (Please rename your certificate with .txt file extension.)

Feature Request

  • If you would like to suggest a new CPCT feature, create a GitHub issue in the CPCT Repository.
1. X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program Policy.
2. Federal Public Key Infrastructure (PKI) X.509 Certificate and CRL Extensions Profile.
3. X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Cards.