• Stars
    star
    941
  • Rank 48,574 (Top 1.0 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A utility to examine and validate certificates in a variety of formats

certigo

license release build report

Certigo is a utility to examine and validate certificates to help with debugging SSL/TLS issues.

Features

Supports all common file formats: Certigo can read and dump certificates in various formats. It can automatically detect and read from X.509 (DER/PEM), JCEKS, PKCS7 and PKCS12 files. Certificates can be dumped to a human-readable format, a set of PEM blocks, or a JSON object for use in scripting.

Validation and linting: Not sure if your generated certificate is valid? Certigo can connect to remote servers to display and validate their certificate chains. It can also point out common errors on certificates, such as using an older X.509 format, signatures with outdated hashes, or keys that are too small.

Supports STARTTLS Protocols: Trying to debug SSL/TLS connections on a database or mail server? Certigo supports establishing connections via StartTLS protocols for MySQL, PostgreSQL, SMTP, LDAP, IMAP, and FTP, making it possible to debug connection issues or scan for expired certificates more easily.

Scripting support: All commands in certigo have support for optional JSON output, which can be used in shell scripts to analyze or filter output. Combine certigo with jq to find all certificates in a bundle that are signed with SHA1-RSA, or filter for CA certificates, or whatever you need!

Install

To install certigo, simply use:

go install github.com/square/certigo@latest

On macOS you can also use homebrew to install:

brew install certigo

Note that certigo requires Go 1.12 or later to build.

Develop

We use Go modules for managing vendored dependencies. If you would like to contribute, see the CONTRIBUTING.md file for extra information.

Usage

Certigo has commands to dump certificates and keystores from a file, to connect and fetch certificates from a remote server, and to verify the validity of certificates in a file. All commands can produce JSON output with the --json flag which can be used for scripting. See below for a full list of options.

usage: certigo [<flags>] <command> [<args> ...]

A command line certificate examination utility.

Flags:
      --help     Show context-sensitive help (also try --help-long and --help-man).
  -v, --verbose  Print verbose
      --version  Show application version.

Commands:
  help [<command>...]
    Show help.


  dump [<flags>] [<file>...]
    Display information about a certificate from a file/stdin.

    -f, --format=FORMAT      Format of given input (PEM, DER, JCEKS, PKCS12; heuristic if missing).
    -p, --password=PASSWORD  Password for PKCS12/JCEKS key stores (reads from TTY if missing).
    -m, --pem                Write output as PEM blocks instead of human-readable format.
    -j, --json               Write output as machine-readable JSON format.
    -l, --first              Only display the first certificate. This flag can be paired with --json or --pem.

  connect [<flags>] [<server:port>]
    Connect to a server and print its certificate(s).

    -n, --name=NAME           Override the server name used for Server Name Indication (SNI).
        --ca=CA               Path to CA bundle (system default if unspecified).
        --cert=CERT           Client certificate chain for connecting to server (PEM).
        --key=KEY             Private key for client certificate, if not in same file (PEM).
    -t, --start-tls=PROTOCOL  Enable StartTLS protocol ('ldap', 'mysql', 'postgres', 'smtp' or 'ftp').
        --identity=certigo    With --start-tls, sets the DB user or SMTP EHLO name.
        --proxy               Optional URI for HTTP(s) CONNECT proxy to dial connections with.
        --timeout=5s          Timeout for connecting to remote server (can be '5m', '1s', etc).
    -m, --pem                 Write output as PEM blocks instead of human-readable format.
    -j, --json                Write output as machine-readable JSON format.
    -l, --first               Only display the first certificate. This flag can be paired with --json or --pem.
        --verify              Verify certificate chain.
        --expected-name       Name expected in the server TLS certificate. Defaults to name from SNI or, if SNI not overridden, the hostname to connect to.

  verify --name=NAME [<flags>] [<file>]
    Verify a certificate chain from file/stdin against a name.

    -f, --format=FORMAT      Format of given input (PEM, DER, JCEKS, PKCS12; heuristic if missing).
    -p, --password=PASSWORD  Password for PKCS12/JCEKS key stores (reads from TTY if missing).
    -n, --name=NAME          Server name to verify certificate against.
        --ca=CA              Path to CA bundle (system default if unspecified).
    -j, --json               Write output as machine-readable JSON format.

Examples

Display information about a certificate (also supports --pem and --json output):

$ certigo dump --verbose squareup-2016.crt
** CERTIFICATE 1 **
Serial: 260680855742043049380997676879525498489
Valid: 2016-07-15 20:15 UTC to 2017-07-31 20:45 UTC
Signature: SHA256-RSA
Subject Info:
	Country: US
	Province: California
	Locality: San Francisco
	EV Incorporation Country: US
	EV Incorporation Province: Delaware
	Organization: Square, Inc.
	Business Category: Private Organization
	EV Incorporation Registration Number: 4699855
	CommonName: www.squareup.com
Issuer Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: See www.entrust.net/legal-terms
	Organizational Unit: (c) 2014 Entrust, Inc. - for authorized use only
	CommonName: Entrust Certification Authority - L1M
Subject Key ID: D4:17:14:6F:0B:C5:20:A1:D6:FE:21:7E:DC:9E:F8:57:9C:ED:AE:6A
Authority Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A
Basic Constraints: CA:false
Key Usage:
	Digital Signature
	Key Encipherment
Extended Key Usage:
	Server Auth
	Client Auth
Alternate DNS Names:
	www.squareup.com, squareup.com, account.squareup.com, mkt.com,
	www.mkt.com, market.squareup.com, gosq.com, www.gosq.com, gosq.co,
	www.gosq.co

Display & validate certificates from a remote server (also supports --start-tls):

$ certigo connect --verbose squareup.com:443
** TLS Connection **
Version: TLS 1.2
Cipher Suite: ECDHE_RSA key exchange, AES_128_GCM_SHA256 cipher

** CERTIFICATE 1 **
Serial: 260680855742043049380997676879525498489
Valid: 2016-07-15 20:15 UTC to 2017-07-31 20:45 UTC
Signature: SHA256-RSA
Subject Info:
	Country: US
	Province: California
	Locality: San Francisco
	EV Incorporation Country: US
	EV Incorporation Province: Delaware
	Organization: Square, Inc.
	Business Category: Private Organization
	EV Incorporation Registration Number: 4699855
	CommonName: www.squareup.com
Issuer Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: See www.entrust.net/legal-terms
	Organizational Unit: (c) 2014 Entrust, Inc. - for authorized use only
	CommonName: Entrust Certification Authority - L1M
Subject Key ID: D4:17:14:6F:0B:C5:20:A1:D6:FE:21:7E:DC:9E:F8:57:9C:ED:AE:6A
Authority Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A
Basic Constraints: CA:false
Key Usage:
	Digital Signature
	Key Encipherment
Extended Key Usage:
	Server Auth
	Client Auth
Alternate DNS Names:
	www.squareup.com, squareup.com, account.squareup.com, mkt.com,
	www.mkt.com, market.squareup.com, gosq.com, www.gosq.com, gosq.co,
	www.gosq.co

** CERTIFICATE 2 **
Serial: 30215777750102225331854468774
Valid: 2014-12-15 15:25 UTC to 2030-10-15 15:55 UTC
Signature: SHA256-RSA
Subject Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: See www.entrust.net/legal-terms
	Organizational Unit: (c) 2014 Entrust, Inc. - for authorized use only
	CommonName: Entrust Certification Authority - L1M
Issuer Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: See www.entrust.net/legal-terms
	Organizational Unit: (c) 2009 Entrust, Inc. - for authorized use only
	CommonName: Entrust Root Certification Authority - G2
Subject Key ID: C3:F7:D0:B5:2A:30:AD:AF:0D:91:21:70:39:54:DD:BC:89:70:C7:3A
Authority Key ID: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB
Basic Constraints: CA:true, pathlen:0
Key Usage:
	Cert Sign
	CRL Sign
Extended Key Usage:
	Client Auth
	Server Auth

** CERTIFICATE 3 **
Serial: 1372799044
Valid: 2014-09-22 17:14 UTC to 2024-09-23 01:31 UTC
Signature: SHA256-RSA
Subject Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: See www.entrust.net/legal-terms
	Organizational Unit: (c) 2009 Entrust, Inc. - for authorized use only
	CommonName: Entrust Root Certification Authority - G2
Issuer Info:
	Country: US
	Organization: Entrust, Inc.
	Organizational Unit: www.entrust.net/CPS is incorporated by reference
	Organizational Unit: (c) 2006 Entrust, Inc.
	CommonName: Entrust Root Certification Authority
Subject Key ID: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB
Authority Key ID: 68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D
Basic Constraints: CA:true, pathlen:1
Key Usage:
	Cert Sign
	CRL Sign

Found 2 valid certificate chain(s):
[0] www.squareup.com
	=> Entrust Certification Authority - L1M
	=> Entrust Root Certification Authority - G2 [self-signed]
[1] www.squareup.com
	=> Entrust Certification Authority - L1M
	=> Entrust Root Certification Authority - G2
	=> Entrust Root Certification Authority [self-signed] [SHA1-RSA]

Advanced examples on how to combine JSON output with jq filtering:

# Find certificates that have linter warnings
certigo dump --json $INPUT | jq '.certificates[] | select(.lints != [])'

# Find certificates that are signed with SHA1-RSA
certigo dump --json $INPUT | jq '.certificates[] | select(.signature_algorithm == "SHA1-RSA")'

# List all Common Names of certificates that are expired
certigo dump --json $INPUT | jq -r '.certificates[] | select(.not_after < now) | .subject.common_name'

# Look for MySQL servers with invalid certificates
for SERVER in $(cat servers); do
  certigo connect -t mysql -j $SERVER:3306 | jq -e '.verify_result.error != null' >/dev/null
  if [ $? -ne 0 ]; then
    echo "Invalid certificates on $SERVER"
  fi
done

# Find (redundant) self-signed certificates in intermediate chain on remote host
certigo connect --json $SERVER:$PORT | jq -e '.certificates[1:][] | select(.is_self_signed) | .subject.common_name'

# Test if server is requesting that clients send certificates for authentication
certigo connect --json $SERVER:$PORT | jq -e '.certificate_request_info != null'

More Repositories

1

okhttp

Square’s meticulous HTTP client for the JVM, Android, and GraalVM.
Kotlin
45,794
star
2

retrofit

A type-safe HTTP client for Android and the JVM
HTML
43,053
star
3

leakcanary

A memory leak detection library for Android.
Kotlin
29,383
star
4

picasso

A powerful image downloading and caching library for Android
Kotlin
18,716
star
5

javapoet

A Java API for generating .java source files.
Java
10,820
star
6

moshi

A modern JSON library for Kotlin and Java.
Kotlin
9,756
star
7

okio

A modern I/O library for Android, Java, and Kotlin Multiplatform.
Kotlin
8,790
star
8

dagger

A fast dependency injector for Android and Java.
Java
7,308
star
9

crossfilter

Fast n-dimensional filtering and grouping of records.
JavaScript
6,217
star
10

PonyDebugger

Remote network and data debugging for your native iOS app using Chrome Developer Tools
Objective-C
5,864
star
11

maximum-awesome

Config files for vim and tmux.
Ruby
5,706
star
12

otto

An enhanced Guava-based event bus with emphasis on Android support.
Java
5,163
star
13

cubism

Cubism.js: A JavaScript library for time series visualization.
JavaScript
4,943
star
14

sqlbrite

A lightweight wrapper around SQLiteOpenHelper which introduces reactive stream semantics to SQL operations.
Java
4,570
star
15

android-times-square

Standalone Android widget for picking a single date from a calendar view.
Java
4,445
star
16

wire

gRPC and protocol buffers for Android, Kotlin, Swift and Java.
Kotlin
4,244
star
17

Valet

Valet lets you securely store data in the iOS, tvOS, watchOS, or macOS Keychain without knowing a thing about how the Keychain works. It’s easy. We promise.
Swift
3,989
star
18

cube

Cube: A system for time series visualization.
JavaScript
3,904
star
19

kotlinpoet

A Kotlin API for generating .kt source files.
Kotlin
3,896
star
20

java-code-styles

IntelliJ IDEA code style settings for Square's Java and Android projects.
Shell
2,957
star
21

flow

Name UI states, navigate between them, remember where you've been.
Java
2,786
star
22

spoon

Distributing instrumentation tests to all your Androids.
HTML
2,702
star
23

keywhiz

A system for distributing and managing secrets
Java
2,619
star
24

tape

A lightning fast, transactional, file-based FIFO for Android and Java.
Java
2,466
star
25

certstrap

Tools to bootstrap CAs, certificate requests, and signed certificates.
Go
2,282
star
26

mortar

A simple library that makes it easy to pair thin views with dedicated controllers, isolated from most of the vagaries of the Activity life cycle.
Java
2,157
star
27

go-jose

An implementation of JOSE standards (JWE, JWS, JWT) in Go
1,975
star
28

Cleanse

Lightweight Swift Dependency Injection Framework
Swift
1,784
star
29

assertj-android

A set of AssertJ helpers geared toward testing Android.
Java
1,577
star
30

haha

DEPRECATED Java library to automate the analysis of Android heap dumps.
Java
1,436
star
31

phrase

Phrase is an Android string resource templating library
Java
1,404
star
32

cane

Code quality threshold checking as part of your build
Ruby
1,325
star
33

anvil

A Kotlin compiler plugin to make dependency injection with Dagger 2 easier.
Kotlin
1,310
star
34

seismic

Android device shake detection.
Java
1,275
star
35

sudo_pair

Plugin for sudo that requires another human to approve and monitor privileged sudo sessions
Rust
1,240
star
36

square.github.io

A simple, static portal which outlines our open source offerings.
CSS
1,153
star
37

spacecommander

Commit fully-formatted Objective-C as a team without even trying.
Objective-C
1,126
star
38

workflow

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Shell
1,124
star
39

workflow-kotlin

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Kotlin
1,027
star
40

logcat

I CAN HAZ LOGZ?
Kotlin
895
star
41

radiography

Text-ray goggles for your Android UI.
Kotlin
852
star
42

whorlwind

Makes fingerprint encryption a breeze.
Java
817
star
43

dagger-intellij-plugin

An IntelliJ IDEA plugin for Dagger which provides insight into how injections and providers are used.
Java
796
star
44

cycler

Kotlin
791
star
45

Paralayout

Paralayout is a set of simple, useful, and straightforward utilities that enable pixel-perfect layout in iOS. Your designers will love you.
Swift
786
star
46

apropos

A simple way to serve up appropriate images for every visitor.
Ruby
764
star
47

shift

shift is an application that helps you run schema migrations on MySQL databases
Ruby
735
star
48

coordinators

Simple MVWhatever for Android
Java
702
star
49

subzero

Block's Bitcoin Cold Storage solution.
C
683
star
50

Blueprint

Declarative UI construction for iOS, written in Swift
Swift
672
star
51

shuttle

String extraction, translation and export tools for the 21st century. "Moving strings around so you don't have to"
Ruby
656
star
52

gifencoder

A pure Java library implementing the GIF89a specification. Suitable for use on Android.
Java
654
star
53

pollexor

Java client for the Thumbor image service which allows you to build URIs in an expressive fashion using a fluent API.
Java
633
star
54

intro-to-d3

a D3.js tutorial
CSS
602
star
55

kochiku

Shard your builds for fun and profit
Ruby
599
star
56

curtains

Lift the curtain on Android Windows!
Kotlin
570
star
57

svelte-store

TypeScript
524
star
58

RxIdler

An IdlingResource for Espresso which wraps an RxJava Scheduler.
Java
511
star
59

burst

A unit testing library for varying test data.
Java
464
star
60

field-kit

FieldKit lets you take control of your text fields.
JavaScript
463
star
61

SuperDelegate

SuperDelegate provides a clean application delegate interface and protects you from bugs in the application lifecycle
Swift
454
star
62

otto-intellij-plugin

An IntelliJ IDEA plugin to navigate between events posted by Otto.
Java
451
star
63

js-jose

JavaScript library to encrypt/decrypt data in JSON Web Encryption (JWE) format and to sign/verify data in JSON Web Signature (JWS) format. Leverages Browser's native WebCrypto API.
JavaScript
422
star
64

sharkey

Sharkey is a service for managing certificates for use by OpenSSH
Go
395
star
65

connect-api-examples

Code samples demonstrating the functionality of the Square Connect API
JavaScript
391
star
66

fdoc

Documentation format and verification
Ruby
380
star
67

ETL

Extract, Transform, and Load data with Ruby
Ruby
377
star
68

lgtm

Simple object validation for JavaScript.
JavaScript
370
star
69

papa

PAPA: Performance of Android Production Applications
Kotlin
345
star
70

laravel-hyrule

Object-oriented, composable, fluent API for writing validations in Laravel
PHP
341
star
71

in-app-payments-flutter-plugin

Flutter Plugin for Square In-App Payments SDK
Objective-C
340
star
72

pylink

Python Library for device debugging/programming via J-Link
Python
331
star
73

workflow-swift

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Swift
326
star
74

pysurvival

Open source package for Survival Analysis modeling
HTML
319
star
75

rails-auth

Modular resource-based authentication and authorization for Rails/Rack
Ruby
291
star
76

cocoapods-generate

A CocoaPods plugin that allows you to easily generate a workspace from a podspec.
Ruby
279
star
77

inspect

inspect is a collection of metrics gathering, analysis utilities for various subsystems of linux, mysql and postgres.
Go
268
star
78

Aardvark

Aardvark is a library that makes it dead simple to create actionable bug reports.
Objective-C
260
star
79

gradle-dependencies-sorter

A CLI app and Gradle plugin to sort the dependencies in your Gradle build scripts
Kotlin
253
star
80

jetpack

jet.pack: package your JRuby rack app for Jetty.
Ruby
248
star
81

luhnybin

Shell
232
star
82

auto-value-redacted

An extension for Google's AutoValue that omits redacted fields from toString().
Java
211
star
83

protoparser

Java parser for .proto schema declarations.
Java
210
star
84

squalor

Go SQL utility library
Go
205
star
85

Listable

Declarative list views for iOS apps.
Swift
200
star
86

p2

Platypus Platform: Tools for Scalable Deployment
Go
196
star
87

mimecraft

Utility for creating RFC-compliant multipart and form-encoded HTTP request bodies.
Java
195
star
88

git-fastclone

git clone --recursive on steroids
Ruby
187
star
89

zapp

Continuous Integration for KIF
Objective-C
179
star
90

metrics

Metrics Query Engine
Go
170
star
91

ruby-rrule

RRULE expansion for Ruby
Ruby
170
star
92

quotaservice

The purpose of a quota service is to prevent cascading failures in micro-service environments. The service acts as a traffic cop, slowing down traffic where necessary to prevent overloading services. For this to work, remote procedure calls (RPCs) between services consult the quota service before making a call. The service isn’t strictly for RPCs between services, and can even be used to apply quotas to database calls, for example.
Go
153
star
93

wire-gradle-plugin

A Gradle plugin for generating Java code for your protocol buffer definitions with Wire.
Groovy
153
star
94

goprotowrap

A package-at-a-time wrapper for protoc, for generating Go protobuf code.
Go
148
star
95

beancounter

Utility to audit the balance of Hierarchical Deterministic (HD) wallets. Supports multisig + segwit wallets.
Go
144
star
96

rce-agent

gRPC-based Remote Command Execution Agent
Go
136
star
97

womeng_handbook

Everything you need to start or expand a women in engineering group in your community.
129
star
98

cocoapods-check

A CocoaPods plugin that shows differences between locked and installed Pods
Ruby
126
star
99

point-of-sale-android-sdk

A simple library for letting Point of Sale take in-store payments for your app using Point of Sale API.
Java
119
star
100

in-app-payments-react-native-plugin

Objective-C
119
star