41 lines
1.6 KiB
Plaintext
41 lines
1.6 KiB
Plaintext
ca-signed: verify certificates against a CA
|
||
-------------------------------------------
|
||
|
||
Description
|
||
ca-signed verifies whether one or more certificates are signed by a given
|
||
Certificate Authority (CA). It prints a concise status per input certificate
|
||
along with the certificate’s expiration date when validation succeeds.
|
||
|
||
Usage
|
||
ca-signed CA.pem cert1.pem [cert2.pem ...]
|
||
|
||
- CA.pem: A file containing one or more CA certificates in PEM, DER, or PKCS#7/PKCS#12 formats.
|
||
- certN.pem: A file containing the end-entity (leaf) certificate to verify. If the file contains a chain,
|
||
the first certificate is treated as the leaf and the remaining ones are used as intermediates.
|
||
|
||
Output format
|
||
For each input certificate file, one line is printed:
|
||
<filename>: OK (expires YYYY-MM-DD)
|
||
<filename>: INVALID
|
||
|
||
Special self-test mode
|
||
ca-signed selftest
|
||
|
||
Runs a built-in test suite using embedded certificates. This mode requires no
|
||
external files or network access. The program exits with code 0 if all tests
|
||
pass, or a non-zero exit code if any test fails. Example output lines include
|
||
whether validation succeeds and the leaf’s expiration when applicable.
|
||
|
||
Examples
|
||
# Verify a server certificate against a root CA
|
||
ca-signed isrg-root-x1.pem le-e7.pem
|
||
|
||
# Run the embedded self-test suite
|
||
ca-signed selftest
|
||
|
||
Notes
|
||
- The tool attempts to parse certificates in PEM first, then falls back to
|
||
DER/PKCS#7/PKCS#12 (with an empty password) where applicable.
|
||
- Expiration is shown for the leaf certificate only.
|
||
- In selftest mode, test certificates are compiled into the binary using go:embed.
|