NSS Security Tools

diff -r 000000000000 -r 6474c204b198 security/nss/doc/vfychain.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/nss/doc/vfychain.xml Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,232 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + VFYCHAIN + 1 + + + + vfychain + vfychain [options] [revocation options] certfile [[options] certfile] ... + + + + + vfychain + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + The verification Tool, vfychain, verifies certificate chains. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files. + + The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases. + + + + Options + + + + + + + the following certfile is base64 encoded + + + + + YYMMDDHHMMZ + + Validate date (default: now) + + + + + directory + database directory + + + + + + + Enable cert fetching from AIA URL + + + + + oid + + Set policy OID for cert validation(Format OID.1.2.3) + + + + + + + Use PKIX Library to validate certificate by calling: + * CERT_VerifyCertificate if specified once, + * CERT_PKIXVerifyCert if specified twice and more. + + + + + + + Following certfile is raw binary DER (default) + + + + + + + Following cert is explicitly trusted (overrides db trust) + + + + + usage + + + 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, + 4=Email signer, 5=Email recipient, 6=Object signer, + 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA + + + + + + + + Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.) + + + + + + + + Verbose mode. Prints root cert subject(double the + argument for whole root cert info) + + + + + + password + + Database password + + + + + pwfile + + Password file + + + + + + + Revocation options for PKIX API (invoked with -pp options) is a + collection of the following flags: + [-g type [-h flags] [-m type [-s flags]] ...] ... + Where: + + + + + test-type + + Sets status checking test type. Possible values + are "leaf" or "chain" + + + + + + test type + + Sets status checking test type. Possible values + are "leaf" or "chain". + + + + + + test flags + + Sets revocation flags for the test type it + follows. Possible flags: "testLocalInfoFirst" and + "requireFreshInfo". + + + + + + method type + + Sets method type for the test type it follows. + Possible types are "crl" and "ocsp". + + + + + method flags + + Sets revocation flags for the method it follows. + Possible types are "doNotUse", "forbidFetching", + "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". + + + + + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + +