security/nss/doc/vfychain.xml@6474c204b198
security/nss/doc/vfychain.xml
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY date SYSTEM "date.xml">
5 <!ENTITY version SYSTEM "version.xml">
6 ]>
8 <refentry id="vfychain">
10 <refentryinfo>
11 <date>&date;</date>
12 <title>NSS Security Tools</title>
13 <productname>nss-tools</productname>
14 <productnumber>&version;</productnumber>
15 </refentryinfo>
17 <refmeta>
18 <refentrytitle>VFYCHAIN</refentrytitle>
19 <manvolnum>1</manvolnum>
20 </refmeta>
22 <refnamediv>
23 <refname>vfychain </refname>
24 <refpurpose>vfychain [options] [revocation options] certfile [[options] certfile] ...</refpurpose>
25 </refnamediv>
27 <refsynopsisdiv>
28 <cmdsynopsis>
29 <command>vfychain</command>
30 </cmdsynopsis>
31 </refsynopsisdiv>
33 <refsection>
34 <title>STATUS</title>
35 <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
36 </para>
37 </refsection>
39 <refsection id="description">
40 <title>Description</title>
41 <para>The verification Tool, <command>vfychain</command>, verifies certificate chains. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>
43 <para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
44 </refsection>
46 <refsection id="options">
47 <title>Options</title>
49 <variablelist>
51 <varlistentry>
52 <term><option>-a</option></term>
53 <listitem>
54 <simpara>the following certfile is base64 encoded</simpara>
55 </listitem>
56 </varlistentry>
58 <varlistentry>
59 <term><option>-b </option> <replaceable>YYMMDDHHMMZ</replaceable></term>
60 <listitem>
61 <simpara>Validate date (default: now)</simpara>
62 </listitem>
63 </varlistentry>
65 <varlistentry>
66 <term><option>-d </option> <replaceable>directory</replaceable></term> <listitem>
67 <simpara>database directory</simpara>
68 </listitem>
69 </varlistentry>
71 <varlistentry>
72 <term><option>-f </option> </term>
73 <listitem>
74 <simpara>Enable cert fetching from AIA URL</simpara>
75 </listitem>
76 </varlistentry>
78 <varlistentry>
79 <term><option>-o </option> <replaceable>oid</replaceable></term>
80 <listitem>
81 <simpara>Set policy OID for cert validation(Format OID.1.2.3)</simpara>
82 </listitem>
83 </varlistentry>
85 <varlistentry>
86 <term><option>-p </option></term>
87 <listitem>
88 <simpara>Use PKIX Library to validate certificate by calling:</simpara>
89 <simpara> * CERT_VerifyCertificate if specified once,</simpara>
90 <simpara> * CERT_PKIXVerifyCert if specified twice and more.</simpara>
91 </listitem>
92 </varlistentry>
94 <varlistentry>
95 <term><option>-r </option></term>
96 <listitem>
97 <simpara>Following certfile is raw binary DER (default)</simpara>
98 </listitem>
99 </varlistentry>
101 <varlistentry>
102 <term><option>-t</option></term>
103 <listitem>
104 <simpara>Following cert is explicitly trusted (overrides db trust)</simpara>
105 </listitem>
106 </varlistentry>
108 <varlistentry>
109 <term><option>-u </option> <replaceable>usage</replaceable></term>
110 <listitem>
111 <para>
112 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
113 4=Email signer, 5=Email recipient, 6=Object signer,
114 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
115 </para>
116 </listitem>
117 </varlistentry>
119 <varlistentry>
120 <term><option>-T </option></term>
121 <listitem>
122 <simpara>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
123 </simpara>
124 </listitem>
125 </varlistentry>
127 <varlistentry>
128 <term><option>-v </option></term>
129 <listitem>
130 <simpara>Verbose mode. Prints root cert subject(double the
131 argument for whole root cert info)
132 </simpara>
133 </listitem>
134 </varlistentry>
136 <varlistentry>
137 <term><option>-w </option> <replaceable>password</replaceable></term>
138 <listitem>
139 <simpara>Database password</simpara>
140 </listitem>
141 </varlistentry>
143 <varlistentry>
144 <term><option>-W </option> <replaceable>pwfile</replaceable></term>
145 <listitem>
146 <simpara>Password file</simpara>
147 </listitem>
148 </varlistentry>
150 <varlistentry>
151 <term><option></option></term>
152 <listitem>
153 <simpara>Revocation options for PKIX API (invoked with -pp options) is a
154 collection of the following flags:
155 [-g type [-h flags] [-m type [-s flags]] ...] ...</simpara>
156 <simpara>Where: </simpara>
157 </listitem>
158 </varlistentry>
160 <varlistentry>
161 <term><option>-g </option> <replaceable>test-type</replaceable></term>
162 <listitem>
163 <simpara>Sets status checking test type. Possible values
164 are "leaf" or "chain"
165 </simpara>
166 </listitem>
167 </varlistentry>
169 <varlistentry>
170 <term><option>-g </option> <replaceable>test type</replaceable></term>
171 <listitem>
172 <simpara>Sets status checking test type. Possible values
173 are "leaf" or "chain".
174 </simpara>
175 </listitem>
176 </varlistentry>
178 <varlistentry>
179 <term><option>-h </option> <replaceable>test flags</replaceable></term>
180 <listitem>
181 <simpara>Sets revocation flags for the test type it
182 follows. Possible flags: "testLocalInfoFirst" and
183 "requireFreshInfo".
184 </simpara>
185 </listitem>
186 </varlistentry>
188 <varlistentry>
189 <term><option>-m </option> <replaceable>method type</replaceable></term>
190 <listitem>
191 <simpara>Sets method type for the test type it follows.
192 Possible types are "crl" and "ocsp".
193 </simpara>
194 </listitem>
195 </varlistentry>
196 <varlistentry>
197 <term><option>-s </option> <replaceable>method flags</replaceable></term>
198 <listitem>
199 <simpara>Sets revocation flags for the method it follows.
200 Possible types are "doNotUse", "forbidFetching",
201 "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
202 </simpara>
203 </listitem>
204 </varlistentry>
205 </variablelist>
206 </refsection>
208 <!-- don't change -->
209 <refsection id="resources">
210 <title>Additional Resources</title>
211 <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
212 <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
213 <para>IRC: Freenode at #dogtag-pki</para>
214 </refsection>
216 <!-- fill in your name first; keep the other names for reference -->
217 <refsection id="authors">
218 <title>Authors</title>
219 <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
220 <para>
221 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
222 </para>
223 </refsection>
225 <!-- don't change -->
226 <refsection id="license">
227 <title>LICENSE</title>
228 <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
229 </para>
230 </refsection>
232 </refentry>
