VFYCHAIN

Name

vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...

Synopsis

vfychain

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 michael@0:

Description

The verification Tool, vfychain, verifies certificate chains. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

Options

-a

the following certfile is base64 encoded

-b YYMMDDHHMMZ

Validate date (default: now)

-d directory

database directory

-f

Enable cert fetching from AIA URL

-o oid

Set policy OID for cert validation(Format OID.1.2.3)

-p

Use PKIX Library to validate certificate by calling:

* CERT_VerifyCertificate if specified once,

* CERT_PKIXVerifyCert if specified twice and more.

-r

Following certfile is raw binary DER (default)

-t

Following cert is explicitly trusted (overrides db trust)

-u usage

michael@0: 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, michael@0: 4=Email signer, 5=Email recipient, 6=Object signer, michael@0: 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA michael@0:

-T

Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.) michael@0:

-v

Verbose mode. Prints root cert subject(double the michael@0: argument for whole root cert info) michael@0:

-w password

Database password

-W pwfile

Password file

Revocation options for PKIX API (invoked with -pp options) is a michael@0: collection of the following flags: michael@0: [-g type [-h flags] [-m type [-s flags]] ...] ...

Where:

-g test-type

Sets status checking test type. Possible values michael@0: are "leaf" or "chain" michael@0:

-g test type

Sets status checking test type. Possible values michael@0: are "leaf" or "chain". michael@0:

-h test flags

Sets revocation flags for the test type it michael@0: follows. Possible flags: "testLocalInfoFirst" and michael@0: "requireFreshInfo". michael@0:

-m method type

Sets method type for the test type it follows. michael@0: Possible types are "crl" and "ocsp". michael@0:

-s method flags

Sets revocation flags for the method it follows. michael@0: Possible types are "doNotUse", "forbidFetching", michael@0: "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". michael@0:

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

michael@0: Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. michael@0:

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: