{"id":13540104,"url":"https://github.com/square/certigo","last_synced_at":"2025-10-23T19:26:18.502Z","repository":{"id":37412451,"uuid":"59852599","full_name":"square/certigo","owner":"square","description":"A utility to examine and validate certificates in a variety of formats","archived":false,"fork":false,"pushed_at":"2025-03-14T20:56:10.000Z","size":6454,"stargazers_count":965,"open_issues_count":39,"forks_count":72,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-03-30T07:02:10.248Z","etag":null,"topics":["certificate","cli","command-line-app","crypto","jceks","keystore","pem","pkcs12","pkcs7","ssl","tls","x509"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/square.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-27T17:41:53.000Z","updated_at":"2025-03-19T06:47:30.000Z","dependencies_parsed_at":"2023-02-13T10:46:17.895Z","dependency_job_id":"b3dcc357-66cc-4da0-b33e-5de89595710c","html_url":"https://github.com/square/certigo","commit_stats":{"total_commits":352,"total_committers":33,"mean_commits":"10.666666666666666","dds":0.6448863636363636,"last_synced_commit":"b78a846ab962134ea5c48b746e0e99199d55da28"},"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/square%2Fcertigo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/square%2Fcertigo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/square%2Fcertigo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/square%2Fcertigo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/square","download_url":"https://codeload.github.com/square/certigo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246768365,"owners_count":20830653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","cli","command-line-app","crypto","jceks","keystore","pem","pkcs12","pkcs7","ssl","tls","x509"],"created_at":"2024-08-01T09:01:40.519Z","updated_at":"2025-10-23T19:26:13.478Z","avatar_url":"https://github.com/square.png","language":"Go","readme":"# certigo\n\n[![license](http://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/square/certigo/master/LICENSE)\n[![release](https://img.shields.io/github/release/square/certigo.svg?style=flat)](https://github.com/square/certigo/releases)\n[![build](https://travis-ci.org/square/certigo.svg?branch=master)](https://travis-ci.org/square/certigo)\n[![report](https://goreportcard.com/badge/github.com/square/certigo)](https://goreportcard.com/report/github.com/square/certigo)\n\nCertigo is a utility to examine and validate certificates to help with debugging SSL/TLS issues.\n\n### Features\n\n**Supports all common file formats**: Certigo can read and dump certificates in various formats. It can automatically detect and read from X.509 (DER/PEM), JCEKS, PKCS7 and PKCS12 files. Certificates can be dumped to a human-readable format, a set of PEM blocks, or a JSON object for use in scripting.\n\n**Validation and linting**: Not sure if your generated certificate is valid? Certigo can connect to remote servers to display and validate their certificate chains. It can also point out common errors on certificates, such as using an older X.509 format, signatures with outdated hashes, or keys that are too small.\n\n**Supports STARTTLS Protocols**: Trying to debug SSL/TLS connections on a database or mail server? Certigo supports establishing connections via StartTLS protocols for MySQL, PostgreSQL, SMTP, LDAP, IMAP, and FTP, making it possible to debug connection issues or scan for expired certificates more easily.\n\n**Scripting support**: All commands in certigo have support for optional JSON output, which can be used in shell scripts to analyze or filter output. Combine certigo with [jq](https://stedolan.github.io/jq) to find all certificates in a bundle that are signed with SHA1-RSA, or filter for CA certificates, or whatever you need!\n\n### Install\n\nTo install certigo, simply use:\n\n    go install github.com/square/certigo@latest\n\nOn macOS you can also use homebrew to install:\n\n    brew install certigo\n\nNote that certigo requires Go 1.12 or later to build.\n\n### Develop\n\nWe use [Go modules][1] for managing vendored dependencies. If you would like to contribute, see the [CONTRIBUTING.md](CONTRIBUTING.md) file for extra information.\n\n[1]: https://github.com/golang/go/wiki/Modules\n\n### Usage\n\nCertigo has commands to dump certificates and keystores from a file, to connect and fetch certificates from a remote server, and to verify the validity of certificates in a file. All commands can produce JSON output with the `--json` flag which can be used for scripting. See below for a full list of options.\n\n```\nusage: certigo [\u003cflags\u003e] \u003ccommand\u003e [\u003cargs\u003e ...]\n\nA command line certificate examination utility.\n\nFlags:\n      --help     Show context-sensitive help (also try --help-long and --help-man).\n  -v, --verbose  Print verbose\n      --version  Show application version.\n\nCommands:\n  help [\u003ccommand\u003e...]\n    Show help.\n\n\n  dump [\u003cflags\u003e] [\u003cfile\u003e...]\n    Display information about a certificate from a file/stdin.\n\n    -f, --format=FORMAT      Format of given input (PEM, DER, JCEKS, PKCS12; heuristic if missing).\n    -p, --password=PASSWORD  Password for PKCS12/JCEKS key stores (reads from TTY if missing).\n    -m, --pem                Write output as PEM blocks instead of human-readable format.\n    -j, --json               Write output as machine-readable JSON format.\n    -l, --first              Only display the first certificate. This flag can be paired with --json or --pem.\n\n  connect [\u003cflags\u003e] [\u003cserver:port\u003e]\n    Connect to a server and print its certificate(s).\n\n    -n, --name=NAME           Override the server name used for Server Name Indication (SNI).\n        --ca=CA               Path to CA bundle (system default if unspecified).\n        --cert=CERT           Client certificate chain for connecting to server (PEM).\n        --key=KEY             Private key for client certificate, if not in same file (PEM).\n    -t, --start-tls=PROTOCOL  Enable StartTLS protocol ('ldap', 'mysql', 'postgres', 'smtp' or 'ftp').\n        --identity=certigo    With --start-tls, sets the DB user or SMTP EHLO name.\n        --proxy               Optional URI for HTTP(s) CONNECT proxy to dial connections with.\n        --timeout=5s          Timeout for connecting to remote server (can be '5m', '1s', etc).\n    -m, --pem                 Write output as PEM blocks instead of human-readable format.\n    -j, --json                Write output as machine-readable JSON format.\n    -l, --first               Only display the first certificate. This flag can be paired with --json or --pem.\n        --verify              Verify certificate chain.\n        --expected-name       Name expected in the server TLS certificate. Defaults to name from SNI or, if SNI not overridden, the hostname to connect to.\n\n  verify --name=NAME [\u003cflags\u003e] [\u003cfile\u003e]\n    Verify a certificate chain from file/stdin against a name.\n\n    -f, --format=FORMAT      Format of given input (PEM, DER, JCEKS, PKCS12; heuristic if missing).\n    -p, --password=PASSWORD  Password for PKCS12/JCEKS key stores (reads from TTY if missing).\n    -n, --name=NAME          Server name to verify certificate against.\n        --ca=CA              Path to CA bundle (system default if unspecified).\n    -j, --json               Write output as machine-readable JSON format.\n```\n\n### Examples\n\nDisplay information about a certificate (also supports `--pem` and `--json` output):\n\n```\n$ certigo dump --verbose squareup-2016.crt\n** CERTIFICATE 1 **\nSerial: 260680855742043049380997676879525498489\nValid: 2016-07-15 20:15 UTC to 2017-07-31 20:45 UTC\nSignature: SHA256-RSA\nSubject Info:\n\tCountry: US\n\tProvince: California\n\tLocality: San Francisco\n\tEV Incorporation Country: US\n\tEV Incorporation Province: Delaware\n\tOrganization: Square, Inc.\n\tBusiness Category: Private Organization\n\tEV Incorporation Registration Number: 4699855\n\tCommonName: www.squareup.com\nIssuer Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: See www.entrust.net/legal-terms\n\tOrganizational Unit: (c) 2014 Entrust, Inc. - for authorized use only\n\tCommonName: Entrust Certification Authority - L1M\nSubject Key ID: D4:17:14:6F:0B:C5:20:A1:D6:FE:21:7E:DC:9E:F8:57:9C:ED:AE:6A\nAuthority Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A\nBasic Constraints: CA:false\nKey Usage:\n\tDigital Signature\n\tKey Encipherment\nExtended Key Usage:\n\tServer Auth\n\tClient Auth\nAlternate DNS Names:\n\twww.squareup.com, squareup.com, account.squareup.com, mkt.com,\n\twww.mkt.com, market.squareup.com, gosq.com, www.gosq.com, gosq.co,\n\twww.gosq.co\n```\n\nDisplay \u0026 validate certificates from a remote server (also supports `--start-tls`):\n\n```\n$ certigo connect --verbose squareup.com:443\n** TLS Connection **\nVersion: TLS 1.2\nCipher Suite: ECDHE_RSA key exchange, AES_128_GCM_SHA256 cipher\n\n** CERTIFICATE 1 **\nSerial: 260680855742043049380997676879525498489\nValid: 2016-07-15 20:15 UTC to 2017-07-31 20:45 UTC\nSignature: SHA256-RSA\nSubject Info:\n\tCountry: US\n\tProvince: California\n\tLocality: San Francisco\n\tEV Incorporation Country: US\n\tEV Incorporation Province: Delaware\n\tOrganization: Square, Inc.\n\tBusiness Category: Private Organization\n\tEV Incorporation Registration Number: 4699855\n\tCommonName: www.squareup.com\nIssuer Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: See www.entrust.net/legal-terms\n\tOrganizational Unit: (c) 2014 Entrust, Inc. - for authorized use only\n\tCommonName: Entrust Certification Authority - L1M\nSubject Key ID: D4:17:14:6F:0B:C5:20:A1:D6:FE:21:7E:DC:9E:F8:57:9C:ED:AE:6A\nAuthority Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A\nBasic Constraints: CA:false\nKey Usage:\n\tDigital Signature\n\tKey Encipherment\nExtended Key Usage:\n\tServer Auth\n\tClient Auth\nAlternate DNS Names:\n\twww.squareup.com, squareup.com, account.squareup.com, mkt.com,\n\twww.mkt.com, market.squareup.com, gosq.com, www.gosq.com, gosq.co,\n\twww.gosq.co\n\n** CERTIFICATE 2 **\nSerial: 30215777750102225331854468774\nValid: 2014-12-15 15:25 UTC to 2030-10-15 15:55 UTC\nSignature: SHA256-RSA\nSubject Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: See www.entrust.net/legal-terms\n\tOrganizational Unit: (c) 2014 Entrust, Inc. - for authorized use only\n\tCommonName: Entrust Certification Authority - L1M\nIssuer Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: See www.entrust.net/legal-terms\n\tOrganizational Unit: (c) 2009 Entrust, Inc. - for authorized use only\n\tCommonName: Entrust Root Certification Authority - G2\nSubject Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A\nAuthority Key ID: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB\nBasic Constraints: CA:true, pathlen:0\nKey Usage:\n\tCert Sign\n\tCRL Sign\nExtended Key Usage:\n\tClient Auth\n\tServer Auth\n\n** CERTIFICATE 3 **\nSerial: 1372799044\nValid: 2014-09-22 17:14 UTC to 2024-09-23 01:31 UTC\nSignature: SHA256-RSA\nSubject Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: See www.entrust.net/legal-terms\n\tOrganizational Unit: (c) 2009 Entrust, Inc. - for authorized use only\n\tCommonName: Entrust Root Certification Authority - G2\nIssuer Info:\n\tCountry: US\n\tOrganization: Entrust, Inc.\n\tOrganizational Unit: www.entrust.net/CPS is incorporated by reference\n\tOrganizational Unit: (c) 2006 Entrust, Inc.\n\tCommonName: Entrust Root Certification Authority\nSubject Key ID: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB\nAuthority Key ID: 68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D\nBasic Constraints: CA:true, pathlen:1\nKey Usage:\n\tCert Sign\n\tCRL Sign\n\nFound 2 valid certificate chain(s):\n[0] www.squareup.com\n\t=\u003e Entrust Certification Authority - L1M\n\t=\u003e Entrust Root Certification Authority - G2 [self-signed]\n[1] www.squareup.com\n\t=\u003e Entrust Certification Authority - L1M\n\t=\u003e Entrust Root Certification Authority - G2\n\t=\u003e Entrust Root Certification Authority [self-signed] [SHA1-RSA]\n```\n\nAdvanced examples on how to combine JSON output with [jq](https://stedolan.github.io/jq/) filtering:\n\n```\n# Find certificates that have linter warnings\ncertigo dump --json $INPUT | jq '.certificates[] | select(.lints != [])'\n\n# Find certificates that are signed with SHA1-RSA\ncertigo dump --json $INPUT | jq '.certificates[] | select(.signature_algorithm == \"SHA1-RSA\")'\n\n# List all Common Names of certificates that are expired\ncertigo dump --json $INPUT | jq -r '.certificates[] | select(.not_after \u003c now) | .subject.common_name'\n\n# Look for MySQL servers with invalid certificates\nfor SERVER in $(cat servers); do\n  certigo connect -t mysql -j $SERVER:3306 | jq -e '.verify_result.error != null' \u003e/dev/null\n  if [ $? -ne 0 ]; then\n    echo \"Invalid certificates on $SERVER\"\n  fi\ndone\n\n# Find (redundant) self-signed certificates in intermediate chain on remote host\ncertigo connect --json $SERVER:$PORT | jq -e '.certificates[1:][] | select(.is_self_signed) | .subject.common_name'\n\n# Test if server is requesting that clients send certificates for authentication\ncertigo connect --json $SERVER:$PORT | jq -e '.certificate_request_info != null'\n```\n","funding_links":[],"categories":["Private Key Infrastructure","Go","\u003ca id=\"86d5daccb4ed597e85a0ec9c87f3c66f\"\u003e\u003c/a\u003eTLS\u0026\u0026SSL\u0026\u0026HTTPS"],"sub_categories":["\u003ca id=\"776c034543a65be69c061d1aafce3127\"\u003e\u003c/a\u003e新添加的"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsquare%2Fcertigo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsquare%2Fcertigo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsquare%2Fcertigo/lists"}