goutils/cmd/certverify/README

46 lines
1.6 KiB
Plaintext
Raw Normal View History

2016-01-15 01:29:55 +00:00
certverify
This is a small utility to verify a TLS X.509 certificate. It returns
0 on success; on error, it prints the error and returns with exit code 1.
It does not check for revocations (though this is a planned feature),
and it does not check the hostname (it deals only in certificate files).
[ Usage ]
certverify [-ca bundle] [-f] [-i bundle] [-r] [-v] certificate
2016-01-15 01:29:55 +00:00
[ Flags ]
-ca bundle Specify the path to the CA certificate bundle
to use.
-f Force the use of the intermediate bundle, ignoring
any intermediates bundled with the certificate.
-i bundle Specify the path to the intermediate certificate
bundle to use.
-r Print revocation and expiry information.
-v Print extra information during the program's run.
If the certificate validates, also prints 'OK'.
2016-01-15 01:29:55 +00:00
[ Examples ]
To verify the 'www.pem' certificate against the system roots:
$ certverify www.pem
$ echo $?
0
2016-01-15 01:29:55 +00:00
To verify the 'www.pem' certificate against the 'ca-cert.pem' CA
certificate bundle, and seeing a mismatch:
$ certverify -ca ca-cert.pem www.pem
Verification failed: x509: certificate signed by unknown authority
$ echo $?
1
Using the stealchain (../stealchain) util, print revocation and expiry
information for google.com:
$ stealchain google.com
[+] wrote google.com.pem.
$ certverify -r google.com.pem
certificate expires in 53d.
2016-01-15 01:29:55 +00:00