1VFYCHAIN(1) NSS Security Tools VFYCHAIN(1)
2
6 vfychain_ - vfychain [options] [revocation options] certfile [[options]
7 certfile] ...
8
10 vfychain
11
13 This documentation is still work in progress. Please contribute to the
14 initial review in Mozilla NSS bug 836477[1]
15
17 The verification Tool, vfychain, verifies certificate chains. modutil
18 can add and delete PKCS #11 modules, change passwords on security
19 databases, set defaults, list module contents, enable or disable slots,
20 enable or disable FIPS 140-2 compliance, and assign default providers
21 for cryptographic operations. This tool can also create certificate,
22 key, and module security database files.
23 The tasks associated with security module database management are part
25 of a process that typically also involves managing key databases and
26 certificate databases.
27
29 -a
30 the following certfile is base64 encoded
31 -b YYMMDDHHMMZ
33 Validate date (default: now)
34 -d directory
36 database directory
37 -f
39 Enable cert fetching from AIA URL
40 -o oid
42 Set policy OID for cert validation(Format OID.1.2.3)
43 -p
45 Use PKIX Library to validate certificate by calling:
46 * CERT_VerifyCertificate if specified once,
48 * CERT_PKIXVerifyCert if specified twice and more.
50 -r
52 Following certfile is raw binary DER (default)
53 -t
55 Following cert is explicitly trusted (overrides db trust)
56 -u usage
58 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer,
59 5=Email recipient, 6=Object signer, 9=ProtectedObjectSigner,
60 10=OCSP responder, 11=Any CA
61 -T
63 Trust both explicit trust anchors (-t) and the database. (Without
64 this option, the default is to only trust certificates marked -t,
65 if there are any, or to trust the database if there are
66 certificates marked -t.)
67 -v
69 Verbose mode. Prints root cert subject(double the argument for
70 whole root cert info)
71 -w password
73 Database password
74 -W pwfile
76 Password file
77 Revocation options for PKIX API (invoked with -pp options) is a
79 collection of the following flags: [-g type [-h flags] [-m type [-s
80 flags]] ...] ...
81 Where:
83 -g test-type
85 Sets status checking test type. Possible values are "leaf" or
86 "chain"
87 -g test type
89 Sets status checking test type. Possible values are "leaf" or
90 "chain".
91 -h test flags
93 Sets revocation flags for the test type it follows. Possible flags:
94 "testLocalInfoFirst" and "requireFreshInfo".
95 -m method type
97 Sets method type for the test type it follows. Possible types are
98 "crl" and "ocsp".
99 -s method flags
101 Sets revocation flags for the method it follows. Possible types are
102 "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and
103 "failIfNoInfo".
104
106 For information about NSS and other tools related to NSS (like JSS),
107 check out the NSS project wiki at
108 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
109 directly to NSS code changes and releases.
110 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
112 IRC: Freenode at #dogtag-pki
114
116 The NSS tools were written and maintained by developers with Netscape,
117 Red Hat, Sun, Oracle, Mozilla, and Google.
118 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
120 <dlackey@redhat.com>.
121
123 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
124 was not distributed with this file, You can obtain one at
125 http://mozilla.org/MPL/2.0/.
126
128 1. Mozilla NSS bug 836477
129 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
130nss-tools 5 June 2014 VFYCHAIN(1)