ca-signed
---------

Description
  ca-signed verifies whether one or more certificates are signed by a given
  Certificate Authority (CA). It prints a concise status per input certificate
  along with the certificate’s expiration date when validation succeeds.

Usage
  ca-signed CA.pem cert1.pem [cert2.pem ...]

  - CA.pem: A file containing one or more CA certificates in PEM, DER, or PKCS#7/PKCS#12 formats.
  - certN.pem: A file containing the end-entity (leaf) certificate to verify. If the file contains a chain,
               the first certificate is treated as the leaf and the remaining ones are used as intermediates.

Output format
  For each input certificate file, one line is printed:
    <filename>: OK (expires YYYY-MM-DD)
    <filename>: INVALID

Special self-test mode
  ca-signed selftest

  Runs a built-in test suite using embedded certificates. This mode requires no
  external files or network access. The program exits with code 0 if all tests
  pass, or a non-zero exit code if any test fails. Example output lines include
  whether validation succeeds and the leaf’s expiration when applicable.

Examples
  # Verify a server certificate against a root CA
  ca-signed isrg-root-x1.pem le-e7.pem

  # Run the embedded self-test suite
  ca-signed selftest

Notes
  - The tool attempts to parse certificates in PEM first, then falls back to
    DER/PKCS#7/PKCS#12 (with an empty password) where applicable.
  - Expiration is shown for the leaf certificate only.
  - In selftest mode, test certificates are compiled into the binary using go:embed.