Carillon Pathfinder


In the world of Public Key Infrastructures (PKI), certificate trust chains can be a complex labyrinth to navigate through. Carillon's Pathfinder is a Path Validation and Discovery (PDVal) tool that employs a technique for ensuring that PKI certificates are valid for Unix based platforms. By taking a centralized approach (a single instance of Pathfinder can do PDVal for multiple, different applications), it increases performance, scalability, and above all the security of the systems, by ensuring a consistent common application of the security rules that are set for the evaluation of X.509 Certificates.

Pathfinder is designed to provide:
A mechanism for any program to perform RFC5280-compliant path validation of X.509 certificates, even when some of the intermediate certificates are not present on the local machine. Automatic download of any such certificates, fetching of revocation information using CRL or OCSP from the Internet as needed using the AIA and CRL distribution point extensions of the certificates it is processing. Powerful certificate validation that examines the certificate chain, the CRL, AIA, (HTTP and OCSP fields) and (if specified in the configuration) Certificate Policy, to make a decision on whether a certificate is valid.

Current Status:

This release handles all current cases necessary to support the CertiPath commercial PKI Bridge, as well as more simple hierarchical PKI cases. For more information and instructions on use, please see the README file in the source distribution.

Pathfinder is presently under active development, but version 1.1.7 is considered stable for production use.

Users of earlier versions are strongly recommended to upgrade to version 1.1.7, as support for OCSP has been improved and numerous improvements have been made, particularly to the way cached CRLs are handled. There are also fixes to support older Verisign CA's, and CA's that don't have AKI in their certificates.

Pathfinder-Aware Projects:

We've developed patches and utilities for several common open-source packages that use certificates.

  • Apache 2.2.8 web server, to use Pathfinder for client certificate validation.
  • FreeRADIUS 2.0.1 authentication server, to use Pathfinder for client certificate validation.
  • OpenLDAP 2.3.43 and 2.4.16 directory server, to use Pathfinfder for client certificate validation and to include a port of the Boeing ldap_proxy backend that uses Pathfinder to validate fetched certificates.
  • Stunnel 4.23 universal SSL wrapper, to use Pathfinder for validation of the remote party's certificate.
  • NEW: xmlsec 1.2.12 XML Security Library, to use Pathfinder for validation of certificates when verifying a digitally signed XML structure.


The version of Pathfinder distributed from this web page is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

The free software version of Pathfinder is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Pathfinder is also licensed under a commercial license. This version includes further functionality, such as SCVP support, scalability enhancements, additional platform support and full support for Name Constraints processing. Please Contact Us for pricing and more information.

Pathfinder is Copyright © 2007-2012 Carillon Information Security Inc. Please report any issues or comments to the Pathfinder mailing list.

This product uses cryptographic software written by Eric Young (


Source: From Google Code

Instructions: Care and Feeding of Pathfinder (PDF), including step-by-step instructions for the installation, setup, configuration, and use of Pathfinder.