ilusm.dev

cert

X.509 certificate management and PKI - parse PEM/DER, generate CA/leaf/self-signed certificates, CSR creation and signing, chain building and validation, CRL generation and revocation checks, OCSP, certificate transparency, SPKI pinning, PKCS#12, JKS, and trust store management.

Load with: use cert

What this module does

cert provides a complete PKI toolkit. You can parse existing certificates from PEM or DER format, interrogate their fields (subject, issuer, SANs, validity, key algorithm, usage), generate new CA or end-entity certificates, create and sign CSRs, build and validate certificate chains, check revocation via CRL or OCSP, monitor Certificate Transparency logs, and manage keystores in PKCS#12 or JKS format.

Quick example

use cert

# Parse a PEM certificate
c = certp(pem_string)
info = certi(c)
prn(info.subject)
prn(info.not_after)

# Generate a self-signed cert
sc = certg2("CN=localhost", 365, 2048)

# Generate a CA and sign a leaf certificate
ca = certg("CN=My CA", 3650, 4096)
leaf = certg1("CN=myservice", ca.cert, ca.key, 365, ["myservice.local"])

# Check if a certificate has expired
prn(certi2(c))   # tru if expired

# Check if a domain matches the cert
prn(certc10(c, "example.com"))

Functions

Parsing

certp(pem_or_der)

Parses a certificate from PEM or DER format via host native __cert_parse. Returns a raw certificate object.

certp1(path)

Reads a certificate file from disk and parses it.

certi(cert)

Extracts a normalised info object from a parsed certificate: subject, issuer, serial, not_before, not_after, sig_alg, key_alg, key_size, san (Subject Alt Names list), is_ca, key_usage, and ext_key_usage. Missing fields default to empty/zero.

certd1(cert)

Returns a human-readable text dump of the certificate via __cert_text_dump.

Certificate generation

certg(subject_name, validity_days, key_bits)

Generates a new CA certificate and key pair via __cert_gen_ca. Returns {cert, key}.

certg1(subject_name, ca_cert, ca_key, validity_days, san_list)

Generates a leaf (end-entity) certificate signed by a CA. san_list is a list of DNS names or IP addresses for the Subject Alternative Names extension.

certg2(subject_name, validity_days, key_bits)

Generates a self-signed certificate (for development/testing). Not signed by a CA.

CSR operations

certc(subject_name, key_bits)

Generates a Certificate Signing Request and private key pair.

certc1(csr_pem, ca_cert, ca_key, validity_days)

Signs a CSR with a CA certificate and key, producing a signed certificate.

certc2(csr_pem)

Parses a PEM CSR and returns its fields.

Certificate chains

certc3(chain_pem)

Splits a PEM bundle containing multiple certificates into a list of parsed cert objects.

certc4(chain, trusted_roots)

Validates a certificate chain against a list of trusted root certificates via __cert_chain_validate.

certc5(leaf_cert, intermediate_certs)

Builds a chain from leaf to root by matching issuer/subject fields through the list of intermediate certificates. Returns the ordered chain.

CRL (Certificate Revocation List)

certc6(ca_cert, ca_key, revoked_serials, next_update_days)

Generates a CRL signed by a CA, listing the given revoked serial numbers.

certc7(crl_pem_or_der)

Parses a CRL.

certi1(cert, crl)

Checks whether a certificate is revoked by looking up its serial number in the CRL's revoked list. Returns tru if revoked.

OCSP

certo(cert, issuer_cert, ocsp_url)

Sends an OCSP request to check revocation status of a certificate.

certo1(response)

Parses an OCSP response.

Certificate Transparency

certc8()

Returns a list of known CT log URLs (Google Argon 2024, Cloudflare Nimbus 2024, Let's Encrypt Oak 2024).

certs(cert, ct_log_url)

Submits a certificate to a CT log via __cert_ct_submit. Returns the Signed Certificate Timestamp (SCT).

certc9(domain)

Queries crt.sh for all certificates issued for a domain. Returns the raw JSON response list.

certv(cert, sct_list, ct_log_pubkey)

Verifies a list of SCTs for a certificate.

Pinning

certp2(cert)

Computes the SPKI pin (RFC 7469) - SHA-256 of the Subject Public Key Info, Base64-encoded. Use in HTTP Public Key Pinning headers.

certp3(cert, known_pins)

Verifies a certificate's SPKI pin against a list of known acceptable pins. Returns tru if the pin matches.

PKI store

certp4(store_path, cert, alias) / certp5(store_path, alias) / certp6(store_path, alias) / certp7(store_path)

Store, retrieve, delete, and list certificates in a file-based PKI store by alias.

Key stores

certj(jks_path, cert, key, password)

Imports a certificate and key into a Java KeyStore (JKS) file.

certp8(cert_chain, key, password)

Creates a PKCS#12 (.p12) bundle from a certificate chain and private key.

certp9(p12_data, password)

Parses a PKCS#12 bundle, returning the certificate and key.

Validation helpers

certi2(cert)

Returns tru if the certificate has expired (now > not_after).

certi3(cert)

Returns tru if the certificate is currently valid (not_before ≤ now ≤ not_after).

certc10(cert, domain)

Checks whether a certificate's SAN list or CN matches a domain exactly.

certc11(cert, domain)

Checks wildcard SAN entries - e.g. *.example.com matches sub.example.com.

Format conversion

certp10(pem)

Converts a PEM certificate to DER binary.

certd(der)

Converts a DER binary certificate to PEM.

System trust store

certs1()

Returns the system root CA certificates.

certu()

Updates the system root CA store.

Notes

  • All certificate and key operations delegate to __cert_* host natives.
  • Timestamps in certi are Unix seconds.
  • Requires trl, txt, bin, cry, and asn.