Add certverify utility.

cmd/certverify/README

@@ -0,0 +1,36 @@
+certverify
+
+This is a small utility to verify a TLS X.509 certificate. It returns
+0 on success; on error, it prints the error and returns with exit code 1.
+It does not check for revocations (though this is a planned feature),
+and it does not check the hostname (it deals only in certificate files).
+
+[ Usage ]
+	certverify [-ca bundle] [-f] [-i bundle] [-v] certificate
+
+[ Flags ]
+	-ca bundle	Specify the path to the CA certificate bundle
+			to use.
+	-f		Force the use of the intermediate bundle, ignoring
+			any intermediates bundled with the certificate.
+	-i bundle	Specify the path to the intermediate certificate
+			bundle to use.
+	-v		Print extra information during the program's run.
+			If the certificate validates, also prints 'OK'.
+
+[ Examples ]
+
+To verify the 'www.pem' certificate against the system roots:
+
+	$ certverify www.pem
+	$ echo $?
+	0
+
+To verify the 'www.pem' certificate against the 'ca-cert.pem' CA
+certificate bundle, and seeing a mismatch:
+
+	$ certverify -ca ca-cert.pem www.pem
+	Verification failed: x509: certificate signed by unknown authority
+	$ echo $?
+	1
+