vfychain.xml (8254B)
1 <?xml version="1.0" encoding="UTF-8"?> 2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ 4 <!ENTITY date SYSTEM "date.xml"> 5 <!ENTITY version SYSTEM "version.xml"> 6 ]> 7 8 <refentry id="vfychain"> 9 10 <refentryinfo> 11 <date>&date;</date> 12 <title>NSS Security Tools</title> 13 <productname>nss-tools</productname> 14 <productnumber>&version;</productnumber> 15 </refentryinfo> 16 17 <refmeta> 18 <refentrytitle>VFYCHAIN</refentrytitle> 19 <manvolnum>1</manvolnum> 20 </refmeta> 21 22 <refnamediv> 23 <refname>vfychain </refname> 24 <refpurpose>vfychain [options] [revocation options] certfile [[options] certfile] ...</refpurpose> 25 </refnamediv> 26 27 <refsynopsisdiv> 28 <cmdsynopsis> 29 <command>vfychain</command> 30 </cmdsynopsis> 31 </refsynopsisdiv> 32 33 <refsection> 34 <title>STATUS</title> 35 <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink> 36 </para> 37 </refsection> 38 39 <refsection id="description"> 40 <title>Description</title> 41 <para>The verification Tool, <command>vfychain</command>, verifies certificate chains. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para> 42 43 <para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para> 44 </refsection> 45 46 <refsection id="options"> 47 <title>Options</title> 48 49 <variablelist> 50 51 <varlistentry> 52 <term><option>-a</option></term> 53 <listitem> 54 <simpara>the following certfile is base64 encoded</simpara> 55 </listitem> 56 </varlistentry> 57 58 <varlistentry> 59 <term><option>-b </option> <replaceable>YYMMDDHHMMZ</replaceable></term> 60 <listitem> 61 <simpara>Validate date (default: now)</simpara> 62 </listitem> 63 </varlistentry> 64 65 <varlistentry> 66 <term><option>-d </option> <replaceable>directory</replaceable></term> <listitem> 67 <simpara>database directory</simpara> 68 </listitem> 69 </varlistentry> 70 71 <varlistentry> 72 <term><option>-f </option> </term> 73 <listitem> 74 <simpara>Enable cert fetching from AIA URL</simpara> 75 </listitem> 76 </varlistentry> 77 78 <varlistentry> 79 <term><option>-o </option> <replaceable>oid</replaceable></term> 80 <listitem> 81 <simpara>Set policy OID for cert validation(Format OID.1.2.3)</simpara> 82 </listitem> 83 </varlistentry> 84 85 <varlistentry> 86 <term><option>-p </option></term> 87 <listitem> 88 <simpara>Use PKIX Library to validate certificate by calling:</simpara> 89 <simpara> * CERT_VerifyCertificate if specified once,</simpara> 90 <simpara> * CERT_PKIXVerifyCert if specified twice and more.</simpara> 91 </listitem> 92 </varlistentry> 93 94 <varlistentry> 95 <term><option>-r </option></term> 96 <listitem> 97 <simpara>Following certfile is raw binary DER (default)</simpara> 98 </listitem> 99 </varlistentry> 100 101 <varlistentry> 102 <term><option>-t</option></term> 103 <listitem> 104 <simpara>Following cert is explicitly trusted (overrides db trust)</simpara> 105 </listitem> 106 </varlistentry> 107 108 <varlistentry> 109 <term><option>-u </option> <replaceable>usage</replaceable></term> 110 <listitem> 111 <para> 112 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 113 4=Email signer, 5=Email recipient, 6=Object signer, 114 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA 115 </para> 116 </listitem> 117 </varlistentry> 118 119 <varlistentry> 120 <term><option>-T </option></term> 121 <listitem> 122 <simpara>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.) 123 </simpara> 124 </listitem> 125 </varlistentry> 126 127 <varlistentry> 128 <term><option>-v </option></term> 129 <listitem> 130 <simpara>Verbose mode. Prints root cert subject(double the 131 argument for whole root cert info) 132 </simpara> 133 </listitem> 134 </varlistentry> 135 136 <varlistentry> 137 <term><option>-w </option> <replaceable>password</replaceable></term> 138 <listitem> 139 <simpara>Database password</simpara> 140 </listitem> 141 </varlistentry> 142 143 <varlistentry> 144 <term><option>-W </option> <replaceable>pwfile</replaceable></term> 145 <listitem> 146 <simpara>Password file</simpara> 147 </listitem> 148 </varlistentry> 149 150 <varlistentry> 151 <term><option></option></term> 152 <listitem> 153 <simpara>Revocation options for PKIX API (invoked with -pp options) is a 154 collection of the following flags: 155 [-g type [-h flags] [-m type [-s flags]] ...] ...</simpara> 156 <simpara>Where: </simpara> 157 </listitem> 158 </varlistentry> 159 160 <varlistentry> 161 <term><option>-g </option> <replaceable>test-type</replaceable></term> 162 <listitem> 163 <simpara>Sets status checking test type. Possible values 164 are "leaf" or "chain" 165 </simpara> 166 </listitem> 167 </varlistentry> 168 169 <varlistentry> 170 <term><option>-g </option> <replaceable>test type</replaceable></term> 171 <listitem> 172 <simpara>Sets status checking test type. Possible values 173 are "leaf" or "chain". 174 </simpara> 175 </listitem> 176 </varlistentry> 177 178 <varlistentry> 179 <term><option>-h </option> <replaceable>test flags</replaceable></term> 180 <listitem> 181 <simpara>Sets revocation flags for the test type it 182 follows. Possible flags: "testLocalInfoFirst" and 183 "requireFreshInfo". 184 </simpara> 185 </listitem> 186 </varlistentry> 187 188 <varlistentry> 189 <term><option>-m </option> <replaceable>method type</replaceable></term> 190 <listitem> 191 <simpara>Sets method type for the test type it follows. 192 Possible types are "crl" and "ocsp". 193 </simpara> 194 </listitem> 195 </varlistentry> 196 <varlistentry> 197 <term><option>-s </option> <replaceable>method flags</replaceable></term> 198 <listitem> 199 <simpara>Sets revocation flags for the method it follows. 200 Possible types are "doNotUse", "forbidFetching", 201 "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". 202 </simpara> 203 </listitem> 204 </varlistentry> 205 </variablelist> 206 </refsection> 207 208 <!-- don't change --> 209 <refsection id="resources"> 210 <title>Additional Resources</title> 211 <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para> 212 <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para> 213 <para>IRC: Freenode at #dogtag-pki</para> 214 </refsection> 215 216 <!-- fill in your name first; keep the other names for reference --> 217 <refsection id="authors"> 218 <title>Authors</title> 219 <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> 220 <para> 221 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. 222 </para> 223 </refsection> 224 225 <!-- don't change --> 226 <refsection id="license"> 227 <title>LICENSE</title> 228 <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. 229 </para> 230 </refsection> 231 232 </refentry>