cmd: add ca-signed tool.

Verify certificates are signed by a CA.

cmd/ca-signed/README.txt

@@ -0,0 +1,40 @@
+ca-signed
+---------
+
+Description
+  ca-signed verifies whether one or more certificates are signed by a given
+  Certificate Authority (CA). It prints a concise status per input certificate
+  along with the certificate’s expiration date when validation succeeds.
+
+Usage
+  ca-signed CA.pem cert1.pem [cert2.pem ...]
+
+  - CA.pem: A file containing one or more CA certificates in PEM, DER, or PKCS#7/PKCS#12 formats.
+  - certN.pem: A file containing the end-entity (leaf) certificate to verify. If the file contains a chain,
+               the first certificate is treated as the leaf and the remaining ones are used as intermediates.
+
+Output format
+  For each input certificate file, one line is printed:
+    <filename>: OK (expires YYYY-MM-DD)
+    <filename>: INVALID
+
+Special self-test mode
+  ca-signed selftest
+
+  Runs a built-in test suite using embedded certificates. This mode requires no
+  external files or network access. The program exits with code 0 if all tests
+  pass, or a non-zero exit code if any test fails. Example output lines include
+  whether validation succeeds and the leaf’s expiration when applicable.
+
+Examples
+  # Verify a server certificate against a root CA
+  ca-signed isrg-root-x1.pem le-e7.pem
+
+  # Run the embedded self-test suite
+  ca-signed selftest
+
+Notes
+  - The tool attempts to parse certificates in PEM first, then falls back to
+    DER/PKCS#7/PKCS#12 (with an empty password) where applicable.
+  - Expiration is shown for the leaf certificate only.
+  - In selftest mode, test certificates are compiled into the binary using go:embed.