NSS Security Tools

michael@0: michael@0: michael@0: michael@0: ]> michael@0: michael@0: michael@0: michael@0: michael@0: &date; michael@0: NSS Security Tools michael@0: nss-tools michael@0: &version; michael@0: michael@0: michael@0: michael@0: VFYCHAIN michael@0: 1 michael@0: michael@0: michael@0: michael@0: vfychain michael@0: vfychain [options] [revocation options] certfile [[options] certfile] ... michael@0: michael@0: michael@0: michael@0: michael@0: vfychain michael@0: michael@0: michael@0: michael@0: michael@0: STATUS michael@0: This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 michael@0: michael@0: michael@0: michael@0: michael@0: Description michael@0: The verification Tool, vfychain, verifies certificate chains. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files. michael@0: michael@0: The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases. michael@0: michael@0: michael@0: michael@0: Options michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: the following certfile is base64 encoded michael@0: michael@0: michael@0: michael@0: michael@0: YYMMDDHHMMZ michael@0: michael@0: Validate date (default: now) michael@0: michael@0: michael@0: michael@0: michael@0: directory michael@0: database directory michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Enable cert fetching from AIA URL michael@0: michael@0: michael@0: michael@0: michael@0: oid michael@0: michael@0: Set policy OID for cert validation(Format OID.1.2.3) michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Use PKIX Library to validate certificate by calling: michael@0: * CERT_VerifyCertificate if specified once, michael@0: * CERT_PKIXVerifyCert if specified twice and more. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Following certfile is raw binary DER (default) michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Following cert is explicitly trusted (overrides db trust) michael@0: michael@0: michael@0: michael@0: michael@0: usage michael@0: michael@0: michael@0: 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, michael@0: 4=Email signer, 5=Email recipient, 6=Object signer, michael@0: 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.) michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Verbose mode. Prints root cert subject(double the michael@0: argument for whole root cert info) michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: password michael@0: michael@0: Database password michael@0: michael@0: michael@0: michael@0: michael@0: pwfile michael@0: michael@0: Password file michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Revocation options for PKIX API (invoked with -pp options) is a michael@0: collection of the following flags: michael@0: [-g type [-h flags] [-m type [-s flags]] ...] ... michael@0: Where: michael@0: michael@0: michael@0: michael@0: michael@0: test-type michael@0: michael@0: Sets status checking test type. Possible values michael@0: are "leaf" or "chain" michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: test type michael@0: michael@0: Sets status checking test type. Possible values michael@0: are "leaf" or "chain". michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: test flags michael@0: michael@0: Sets revocation flags for the test type it michael@0: follows. Possible flags: "testLocalInfoFirst" and michael@0: "requireFreshInfo". michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: method type michael@0: michael@0: Sets method type for the test type it follows. michael@0: Possible types are "crl" and "ocsp". michael@0: michael@0: michael@0: michael@0: michael@0: method flags michael@0: michael@0: Sets revocation flags for the method it follows. michael@0: Possible types are "doNotUse", "forbidFetching", michael@0: "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Additional Resources michael@0: For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. michael@0: Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto michael@0: IRC: Freenode at #dogtag-pki michael@0: michael@0: michael@0: michael@0: michael@0: Authors michael@0: The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. michael@0: michael@0: Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: LICENSE michael@0: Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: michael@0: michael@0: