Package pwnedkeys looks up Certificates, Certificate requests, Keys, etc in the pwnedkeys.com database.
Lookup is done using the SubjectPublicKeyInfo (SPKI) associated with a key. The SPKI fingerprint of a key (or certificate) is the all-lowercase hex-encoded SHA-256 hash of the DER-encoded form of the subjectPublicKeyInfo ASN.1 structure representing a given public key.
CheckCertificate returns a non-nil error only if the key information is found in the pwnedkeys.com database. Finding key data implies a compromised key.