We're working on a tool similar to GenerateCapsule but uses HSM-based keys to perform the signing instead of a local key file. Is there a standalone tool or recommended method to validate the capsules are generated correctly using the cert chain?