46 lines
1.6 KiB
Plaintext
46 lines
1.6 KiB
Plaintext
certverify
|
|
|
|
This is a small utility to verify a TLS X.509 certificate. It returns
|
|
0 on success; on error, it prints the error and returns with exit code 1.
|
|
It does not check for revocations (though this is a planned feature),
|
|
and it does not check the hostname (it deals only in certificate files).
|
|
|
|
[ Usage ]
|
|
certverify [-ca bundle] [-f] [-i bundle] [-r] [-v] certificate
|
|
|
|
[ Flags ]
|
|
-ca bundle Specify the path to the CA certificate bundle
|
|
to use.
|
|
-f Force the use of the intermediate bundle, ignoring
|
|
any intermediates bundled with the certificate.
|
|
-i bundle Specify the path to the intermediate certificate
|
|
bundle to use.
|
|
-r Print revocation and expiry information.
|
|
-v Print extra information during the program's run.
|
|
If the certificate validates, also prints 'OK'.
|
|
|
|
[ Examples ]
|
|
|
|
To verify the 'www.pem' certificate against the system roots:
|
|
|
|
$ certverify www.pem
|
|
$ echo $?
|
|
0
|
|
|
|
To verify the 'www.pem' certificate against the 'ca-cert.pem' CA
|
|
certificate bundle, and seeing a mismatch:
|
|
|
|
$ certverify -ca ca-cert.pem www.pem
|
|
Verification failed: x509: certificate signed by unknown authority
|
|
$ echo $?
|
|
1
|
|
|
|
Using the stealchain (../stealchain) util, print revocation and expiry
|
|
information for google.com:
|
|
|
|
$ stealchain google.com
|
|
[+] wrote google.com.pem.
|
|
$ certverify -r google.com.pem
|
|
certificate expires in 53d.
|
|
|