| '\" t |
| .\" Title: VFYCHAIN |
| .\" Author: [see the "Authors" section] |
| .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> |
| .\" Date: 5 June 2014 |
| .\" Manual: NSS Security Tools |
| .\" Source: nss-tools |
| .\" Language: English |
| .\" |
| .TH "VFYCHAIN" "1" "5 June 2014" "nss-tools" "NSS Security Tools" |
| .\" ----------------------------------------------------------------- |
| .\" * Define some portability stuff |
| .\" ----------------------------------------------------------------- |
| .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| .\" http://bugs.debian.org/507673 |
| .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html |
| .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| .ie \n(.g .ds Aq \(aq |
| .el .ds Aq ' |
| .\" ----------------------------------------------------------------- |
| .\" * set default formatting |
| .\" ----------------------------------------------------------------- |
| .\" disable hyphenation |
| .nh |
| .\" disable justification (adjust text to left margin only) |
| .ad l |
| .\" ----------------------------------------------------------------- |
| .\" * MAIN CONTENT STARTS HERE * |
| .\" ----------------------------------------------------------------- |
| .SH "NAME" |
| vfychain_ \- vfychain [options] [revocation options] certfile [[options] certfile] \&.\&.\&. |
| .SH "SYNOPSIS" |
| .HP \w'\fBvfychain\fR\ 'u |
| \fBvfychain\fR |
| .SH "STATUS" |
| .PP |
| This documentation is still work in progress\&. Please contribute to the initial review in |
| \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 |
| .SH "DESCRIPTION" |
| .PP |
| The verification Tool, |
| \fBvfychain\fR, verifies certificate chains\&. |
| \fBmodutil\fR |
| can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&. |
| .PP |
| The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&. |
| .SH "OPTIONS" |
| .PP |
| \fB\-a\fR |
| .RS 4 |
| the following certfile is base64 encoded |
| .RE |
| .PP |
| \fB\-b \fR \fIYYMMDDHHMMZ\fR |
| .RS 4 |
| Validate date (default: now) |
| .RE |
| .PP |
| \fB\-d \fR \fIdirectory\fR |
| .RS 4 |
| database directory |
| .RE |
| .PP |
| \fB\-f \fR |
| .RS 4 |
| Enable cert fetching from AIA URL |
| .RE |
| .PP |
| \fB\-o \fR \fIoid\fR |
| .RS 4 |
| Set policy OID for cert validation(Format OID\&.1\&.2\&.3) |
| .RE |
| .PP |
| \fB\-p \fR |
| .RS 4 |
| Use PKIX Library to validate certificate by calling: |
| .sp |
| * CERT_VerifyCertificate if specified once, |
| .sp |
| * CERT_PKIXVerifyCert if specified twice and more\&. |
| .RE |
| .PP |
| \fB\-r \fR |
| .RS 4 |
| Following certfile is raw binary DER (default) |
| .RE |
| .PP |
| \fB\-t\fR |
| .RS 4 |
| Following cert is explicitly trusted (overrides db trust) |
| .RE |
| .PP |
| \fB\-u \fR \fIusage\fR |
| .RS 4 |
| 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA |
| .RE |
| .PP |
| \fB\-T \fR |
| .RS 4 |
| Trust both explicit trust anchors (\-t) and the database\&. (Without this option, the default is to only trust certificates marked \-t, if there are any, or to trust the database if there are certificates marked \-t\&.) |
| .RE |
| .PP |
| \fB\-v \fR |
| .RS 4 |
| Verbose mode\&. Prints root cert subject(double the argument for whole root cert info) |
| .RE |
| .PP |
| \fB\-w \fR \fIpassword\fR |
| .RS 4 |
| Database password |
| .RE |
| .PP |
| \fB\-W \fR \fIpwfile\fR |
| .RS 4 |
| Password file |
| .RE |
| .PP |
| .RS 4 |
| Revocation options for PKIX API (invoked with \-pp options) is a collection of the following flags: [\-g type [\-h flags] [\-m type [\-s flags]] \&.\&.\&.] \&.\&.\&. |
| .sp |
| Where: |
| .RE |
| .PP |
| \fB\-g \fR \fItest\-type\fR |
| .RS 4 |
| Sets status checking test type\&. Possible values are "leaf" or "chain" |
| .RE |
| .PP |
| \fB\-g \fR \fItest type\fR |
| .RS 4 |
| Sets status checking test type\&. Possible values are "leaf" or "chain"\&. |
| .RE |
| .PP |
| \fB\-h \fR \fItest flags\fR |
| .RS 4 |
| Sets revocation flags for the test type it follows\&. Possible flags: "testLocalInfoFirst" and "requireFreshInfo"\&. |
| .RE |
| .PP |
| \fB\-m \fR \fImethod type\fR |
| .RS 4 |
| Sets method type for the test type it follows\&. Possible types are "crl" and "ocsp"\&. |
| .RE |
| .PP |
| \fB\-s \fR \fImethod flags\fR |
| .RS 4 |
| Sets revocation flags for the method it follows\&. Possible types are "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo"\&. |
| .RE |
| .SH "ADDITIONAL RESOURCES" |
| .PP |
| For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at |
| \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. |
| .PP |
| Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto |
| .PP |
| IRC: Freenode at #dogtag\-pki |
| .SH "AUTHORS" |
| .PP |
| The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. |
| .PP |
| Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&. |
| .SH "LICENSE" |
| .PP |
| Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. |
| .SH "NOTES" |
| .IP " 1." 4 |
| Mozilla NSS bug 836477 |
| .RS 4 |
| \%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 |
| .RE |