This repository provides some command line tools and libraries that are intended
to replace some of the common certificate-viewing commands from openssl, such as openssl s_client and openssl x509.
These tools are not intended to perform security functions, such as providing cryptographic primitives or APIs for use in TLS servers.
You can install all of the tools using:
go get github.com/brcrwilliams/tlstools/cmd/...
readpem is a tool to retrieve all of the peer certificate PEMs from a remote address.
It takes the address in the form of host:port as a single positional argument.
If no port is given, it will default to port 443.
It will output the certificates to stdout, and can be piped as needed.
Ex: readpem example.com:443 > chain.pem
Use x509meta if you want to see the x509 metadata.
Ex: x509meta --pem chain.pem
readpem will perform certificate verification when reading certificates using the golang standard library ((*x509.Certificate).Verify()).
If certificate verification fails, it will emit a warning, but continue operating as normal.
It does not check certificate revocation.
$ readpem github.com
-----BEGIN CERTIFICATE-----
MIIG1TCCBb2gAwIBAgIQBVfICygmg6F7ChFEkylreTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0yMDA1MDUwMDAwMDBaFw0yMjA1MTAxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MrTQ2J6a
nox5KUwrqO9cQ9STO5R4/zBUxxvI5S8bmc0QjWfIVAwHWuT0Bn/H1oS0LM0tTkQm
ARrqN77v9McVB8MWTGsmGQnS/1kQRFuKiYGUHf7iX5pfijbYsOkfb4AiVKysKUNV
UtgVvpJoe5RWURjQp9XDWkeo2DzGHXLcBDadrM8VLC6H1/D9SXdVruxKqduLKR41
Z/6dlSDdeY1gCnhz3Ch1pYbfMfsTCTamw+AtRtwlK3b2rfTHffhowjuzM15UKt+b
rr/cEBlAjQTva8rutYU9K9ONgl+pG2u7Bv516DwmNy8xz9wOjTeOpeh0M9N/ewq8
cgbR87LFaxi1AgMBAAGjggNzMIIDbzAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVk
YqISuFlyOzAdBgNVHQ4EFgQUYwLSXQJf943VWhKedhE2loYsikgwJQYDVR0RBB4w
HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3
MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEF
BQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhp
Z2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAXwGCisGAQQB
1nkCBAIEggFsBIIBaAFmAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAFx5ltprwAABAMARjBEAiAuWGCWxN/M0Ms3KOsqFjDMHT8Aq0SlHfQ68KDg
rVU6AAIgDA+2EB0D5W5r0i4Nhljx6ABlIByzrEdfcxiOD/o6//EAdQAiRUUHWVUk
VpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXHmW2nTAAAEAwBGMEQCIBp+XQKa
UDiPHwjBxdv5qvgyALKaysKqMF60gqem8iPRAiAk9Dp5+VBUXfSHqyW+tVShUigh
ndopccf8Gs21KJ4jXgB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXl
AAABceZbahsAAAQDAEcwRQIgd/5HcxT4wfNV8zavwxjYkw2TYBAuRCcqp1SjWKFn
4EoCIQDHSTHxnbpxWFbP6v5Y6nGFZCDjaHgd9HrzUv2J/DaacDANBgkqhkiG9w0B
AQsFAAOCAQEAhjKPnBW4r+jR3gg6RA5xICTW/A5YMcyqtK0c1QzFr8S7/l+skGpC
yCHrJfFrLDeyKqgabvLRT6YvvM862MGfMMDsk+sKWtzLbDIcYG7sbviGpU+gtG1q
B0ohWNApfWWKyNpquqvwdSEzAEBvhcUT5idzbK7q45bQU9vBIWgQz+PYULAU7KmY
z7jOYV09o22TNMQT+hFmo92+EBlwSeIETYEsHy5ZxixTRTvu9hP00CyEbiht5OTK
5EiJG6vsIh/uEtRsdenMCxV06W2f20Af4iSFo0uk6c1ryHefh08FcwA4pSNUaPyi
Pb8YGQ6o/blejFzo/OSiUnDueafSJ0p6SQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
x509meta is a reimplementation of openssl x509, with several improvements:
- JSON output
- The
--remoteflag can be used to retrieve certificate metadata directly from a remote server - Can read multiple PEMs at a time
- Greatly simplified usage (5 options compared to
openssl x509's 53 options)
It operates in three modes:
--remote host:port- Reads certificates from a remote server. By default, it will only output the server certificate. Any additonal peer certificates can also be shown by passing the--chainflag.--pem file- Reads one or more certificate PEMs from a file and outputs the x509 metadata.--der file- Reads a DER encoded certificate from a file and outputs the x509 metadata.
--pem and --der can also read from stdin by givin them - as a value.
Ex:
echo '<pem>' | x509meta --pem -
x509meta will perform certificate verification when operating in --remote mode using the golang standard library ((*x509.Certificate).Verify()).
If certificate verification fails, it will emit a warning, but continue operating as normal.
It does not check certificate revocation.
$ x509meta --remote github.com
{
"Version": 3,
"SerialNumber": "05:57:c8:0b:28:26:83:a1:7b:0a:11:44:93:29:6b:79",
"Issuer": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US",
"Validity": {
"NotAfter": "May 10 12:00:00 2022 UTC",
"NotBefore": "May 5 00:00:00 2020 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "bb:32:b4:d0:d8:9e:9a:9e:8c:79:29:4c:2b:a8:ef:5c:43:d4:93:3b:94:78:ff:30:54:c7:1b:c8:e5:2f:1b:99:cd:10:8d:67:c8:54:0c:07:5a:e4:f4:06:7f:c7:d6:84:b4:2c:cd:2d:4e:44:26:01:1a:ea:37:be:ef:f4:c7:15:07:c3:16:4c:6b:26:19:09:d2:ff:59:10:44:5b:8a:89:81:94:1d:fe:e2:5f:9a:5f:8a:36:d8:b0:e9:1f:6f:80:22:54:ac:ac:29:43:55:52:d8:15:be:92:68:7b:94:56:51:18:d0:a7:d5:c3:5a:47:a8:d8:3c:c6:1d:72:dc:04:36:9d:ac:cf:15:2c:2e:87:d7:f0:fd:49:77:55:ae:ec:4a:a9:db:8b:29:1e:35:67:fe:9d:95:20:dd:79:8d:60:0a:78:73:dc:28:75:a5:86:df:31:fb:13:09:36:a6:c3:e0:2d:46:dc:25:2b:76:f6:ad:f4:c7:7d:f8:68:c2:3b:b3:33:5e:54:2a:df:9b:ae:bf:dc:10:19:40:8d:04:ef:6b:ca:ee:b5:85:3d:2b:d3:8d:82:5f:a9:1b:6b:bb:06:fe:75:e8:3c:26:37:2f:31:cf:dc:0e:8d:37:8e:a5:e8:74:33:d3:7f:7b:0a:bc:72:06:d1:f3:b2:c5:6b:18:b5",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"Digital Signature",
"Key Encipherment"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": false,
"MaxPathLength": -1
},
"SubjectKeyIdentifier": "63:02:d2:5d:02:5f:f7:8d:d5:5a:12:9e:76:11:36:96:86:2c:8a:48",
"AuthorityKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b",
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt"
]
},
"SubjectAlternativeNames": [
"DNS:github.com",
"DNS:www.github.com"
],
"CertificatePolicies": [
"2.16.840.1.114412.1.1",
"2.23.140.1.2.2"
],
"CRLDistributionPoints": [
"http://crl3.digicert.com/sha2-ha-server-g6.crl",
"http://crl4.digicert.com/sha2-ha-server-g6.crl"
]
},
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "86:32:8f:9c:15:b8:af:e8:d1:de:08:3a:44:0e:71:20:24:d6:fc:0e:58:31:cc:aa:b4:ad:1c:d5:0c:c5:af:c4:bb:fe:5f:ac:90:6a:42:c8:21:eb:25:f1:6b:2c:37:b2:2a:a8:1a:6e:f2:d1:4f:a6:2f:bc:cf:3a:d8:c1:9f:30:c0:ec:93:eb:0a:5a:dc:cb:6c:32:1c:60:6e:ec:6e:f8:86:a5:4f:a0:b4:6d:6a:07:4a:21:58:d0:29:7d:65:8a:c8:da:6a:ba:ab:f0:75:21:33:00:40:6f:85:c5:13:e6:27:73:6c:ae:ea:e3:96:d0:53:db:c1:21:68:10:cf:e3:d8:50:b0:14:ec:a9:98:cf:b8:ce:61:5d:3d:a3:6d:93:34:c4:13:fa:11:66:a3:dd:be:10:19:70:49:e2:04:4d:81:2c:1f:2e:59:c6:2c:53:45:3b:ee:f6:13:f4:d0:2c:84:6e:28:6d:e4:e4:ca:e4:48:89:1b:ab:ec:22:1f:ee:12:d4:6c:75:e9:cc:0b:15:74:e9:6d:9f:db:40:1f:e2:24:85:a3:4b:a4:e9:cd:6b:c8:77:9f:87:4f:05:73:00:38:a5:23:54:68:fc:a2:3d:bf:18:19:0e:a8:fd:b9:5e:8c:5c:e8:fc:e4:a2:52:70:ee:79:a7:d2:27:4a:7a:49"
}
$ readpem github.com > chain.pem
$ x509meta --pem chain.pem
[
{
"Version": 3,
"SerialNumber": "05:57:c8:0b:28:26:83:a1:7b:0a:11:44:93:29:6b:79",
"Issuer": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US",
"Validity": {
"NotAfter": "May 10 12:00:00 2022 UTC",
"NotBefore": "May 5 00:00:00 2020 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "bb:32:b4:d0:d8:9e:9a:9e:8c:79:29:4c:2b:a8:ef:5c:43:d4:93:3b:94:78:ff:30:54:c7:1b:c8:e5:2f:1b:99:cd:10:8d:67:c8:54:0c:07:5a:e4:f4:06:7f:c7:d6:84:b4:2c:cd:2d:4e:44:26:01:1a:ea:37:be:ef:f4:c7:15:07:c3:16:4c:6b:26:19:09:d2:ff:59:10:44:5b:8a:89:81:94:1d:fe:e2:5f:9a:5f:8a:36:d8:b0:e9:1f:6f:80:22:54:ac:ac:29:43:55:52:d8:15:be:92:68:7b:94:56:51:18:d0:a7:d5:c3:5a:47:a8:d8:3c:c6:1d:72:dc:04:36:9d:ac:cf:15:2c:2e:87:d7:f0:fd:49:77:55:ae:ec:4a:a9:db:8b:29:1e:35:67:fe:9d:95:20:dd:79:8d:60:0a:78:73:dc:28:75:a5:86:df:31:fb:13:09:36:a6:c3:e0:2d:46:dc:25:2b:76:f6:ad:f4:c7:7d:f8:68:c2:3b:b3:33:5e:54:2a:df:9b:ae:bf:dc:10:19:40:8d:04:ef:6b:ca:ee:b5:85:3d:2b:d3:8d:82:5f:a9:1b:6b:bb:06:fe:75:e8:3c:26:37:2f:31:cf:dc:0e:8d:37:8e:a5:e8:74:33:d3:7f:7b:0a:bc:72:06:d1:f3:b2:c5:6b:18:b5",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"Digital Signature",
"Key Encipherment"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": false,
"MaxPathLength": -1
},
"SubjectKeyIdentifier": "63:02:d2:5d:02:5f:f7:8d:d5:5a:12:9e:76:11:36:96:86:2c:8a:48",
"AuthorityKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b",
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt"
]
},
"SubjectAlternativeNames": [
"DNS:github.com",
"DNS:www.github.com"
],
"CertificatePolicies": [
"2.16.840.1.114412.1.1",
"2.23.140.1.2.2"
],
"CRLDistributionPoints": [
"http://crl3.digicert.com/sha2-ha-server-g6.crl",
"http://crl4.digicert.com/sha2-ha-server-g6.crl"
]
},
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "86:32:8f:9c:15:b8:af:e8:d1:de:08:3a:44:0e:71:20:24:d6:fc:0e:58:31:cc:aa:b4:ad:1c:d5:0c:c5:af:c4:bb:fe:5f:ac:90:6a:42:c8:21:eb:25:f1:6b:2c:37:b2:2a:a8:1a:6e:f2:d1:4f:a6:2f:bc:cf:3a:d8:c1:9f:30:c0:ec:93:eb:0a:5a:dc:cb:6c:32:1c:60:6e:ec:6e:f8:86:a5:4f:a0:b4:6d:6a:07:4a:21:58:d0:29:7d:65:8a:c8:da:6a:ba:ab:f0:75:21:33:00:40:6f:85:c5:13:e6:27:73:6c:ae:ea:e3:96:d0:53:db:c1:21:68:10:cf:e3:d8:50:b0:14:ec:a9:98:cf:b8:ce:61:5d:3d:a3:6d:93:34:c4:13:fa:11:66:a3:dd:be:10:19:70:49:e2:04:4d:81:2c:1f:2e:59:c6:2c:53:45:3b:ee:f6:13:f4:d0:2c:84:6e:28:6d:e4:e4:ca:e4:48:89:1b:ab:ec:22:1f:ee:12:d4:6c:75:e9:cc:0b:15:74:e9:6d:9f:db:40:1f:e2:24:85:a3:4b:a4:e9:cd:6b:c8:77:9f:87:4f:05:73:00:38:a5:23:54:68:fc:a2:3d:bf:18:19:0e:a8:fd:b9:5e:8c:5c:e8:fc:e4:a2:52:70:ee:79:a7:d2:27:4a:7a:49"
},
{
"Version": 3,
"SerialNumber": "04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f",
"Issuer": "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Validity": {
"NotAfter": "Oct 22 12:00:00 2028 UTC",
"NotBefore": "Oct 22 12:00:00 2013 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "b6:e0:2f:c2:24:06:c8:6d:04:5f:d7:ef:0a:64:06:b2:7d:22:26:65:16:ae:42:40:9b:ce:dc:9f:9f:76:07:3e:c3:30:55:87:19:b9:4f:94:0e:5a:94:1f:55:56:b4:c2:02:2a:af:d0:98:ee:0b:40:d7:c4:d0:3b:72:c8:14:9e:ef:90:b1:11:a9:ae:d2:c8:b8:43:3a:d9:0b:0b:d5:d5:95:f5:40:af:c8:1d:ed:4d:9c:5f:57:b7:86:50:68:99:f5:8a:da:d2:c7:05:1f:a8:97:c9:dc:a4:b1:82:84:2d:c6:ad:a5:9c:c7:19:82:a6:85:0f:5e:44:58:2a:37:8f:fd:35:f1:0b:08:27:32:5a:f5:bb:8b:9e:a4:bd:51:d0:27:e2:dd:3b:42:33:a3:05:28:c4:bb:28:cc:9a:ac:2b:23:0d:78:c6:7b:e6:5e:71:b7:4a:3e:08:fb:81:b7:16:16:a1:9d:23:12:4d:e5:d7:92:08:ac:75:a4:9c:ba:cd:17:b2:1e:44:35:65:7f:53:25:39:d1:1c:0a:9a:63:1b:19:92:74:68:0a:37:c2:c2:52:48:cb:39:5a:a2:b6:e1:5d:c1:dd:a0:20:b8:21:a2:93:26:6f:14:4a:21:41:c7:ed:6d:9b:f2:48:2f:f3:03:f5:a2:68:92:53:2f:5e:e3",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"CRL Sign",
"Cert Sign",
"Digital Signature"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": true,
"MaxPathLength": 0
},
"SubjectKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b",
"AuthorityKeyIdentifier": "b1:3e:c3:69:03:f8:bf:47:01:d4:98:26:1a:08:02:ef:63:64:2b:c3",
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": null
},
"SubjectAlternativeNames": [],
"CertificatePolicies": [
"2.5.29.32.0"
],
"CRLDistributionPoints": [
"http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl"
]
},
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "18:8a:95:89:03:e6:6d:df:5c:fc:1d:68:ea:4a:8f:83:d6:51:2f:8d:6b:44:16:9e:ac:63:f5:d2:6e:6c:84:99:8b:aa:81:71:84:5b:ed:34:4e:b0:b7:79:92:29:cc:2d:80:6a:f0:8e:20:e1:79:a4:fe:03:47:13:ea:f5:86:ca:59:71:7d:f4:04:96:6b:d3:59:58:3d:fe:d3:31:25:5c:18:38:84:a3:e6:9f:82:fd:8c:5b:98:31:4e:cd:78:9e:1a:fd:85:cb:49:aa:f2:27:8b:99:72:fc:3e:aa:d5:41:0b:da:d5:36:a1:bf:1c:6e:47:49:7f:5e:d9:48:7c:03:d9:fd:8b:49:a0:98:26:42:40:eb:d6:92:11:a4:64:0a:57:54:c4:f5:1d:d6:02:5e:6b:ac:ee:c4:80:9a:12:72:fa:56:93:d7:ff:bf:30:85:06:30:bf:0b:7f:4e:ff:57:05:9d:24:ed:85:c3:2b:fb:a6:75:a8:ac:2d:16:ef:7d:79:27:b2:eb:c2:9d:0b:07:ea:aa:85:d3:01:a3:20:28:41:59:43:28:d2:81:e3:aa:f6:ec:7b:3b:77:b6:40:62:80:05:41:45:01:ef:17:06:3e:de:c0:33:9b:67:d3:61:2e:72:87:e4:69:fc:12:00:57:40:1e:70:f5:1e:c9:b4"
}
]
The CLI tools are wrappers around a public API. You can read the reference docs on pkg.go.dev.