<html><head><metahttp-equiv="Content-Type"content="text/html; charset=UTF-8"><title>VFYCHAIN</title><metaname="generator"content="DocBook XSL Stylesheets V1.78.1"><linkrel="home"href="index.html"title="VFYCHAIN"></head><bodybgcolor="white"text="black"link="#0000FF"vlink="#840084"alink="#0000FF"><divclass="navheader"><tablewidth="100%"summary="Navigation header"><tr><thcolspan="3"align="center">VFYCHAIN</th></tr></table><hr></div><divclass="refentry"><aname="vfychain"></a><divclass="titlepage"></div><divclass="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><divclass="refsynopsisdiv"><h2>Synopsis</h2><divclass="cmdsynopsis"><p><codeclass="command">vfychain</code></p></div></div><divclass="refsection"><aname="idm233261246224"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <aclass="ulink"href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477"target="_top">Mozilla NSS bug 836477</a>
</p></div><divclass="refsection"><aname="description"></a><h2>Description</h2><p>The verification Tool, <spanclass="command"><strong>vfychain</strong></span>, verifies certificate chains. <spanclass="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><divclass="refsection"><aname="options"></a><h2>Options</h2><divclass="variablelist"><dlclass="variablelist"><dt><spanclass="term"><codeclass="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><spanclass="term"><codeclass="option">-b </code><emclass="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><spanclass="term"><codeclass="option">-d </code><emclass="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><spanclass="term"><codeclass="option">-f </code></span></dt><dd>Enable cert fetching from AIA URL</dd><dt><spanclass="term"><codeclass="option">-o </code><emclass="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><spanclass="term"><codeclass="option">-p </code></span></dt><dd><pclass="simpara">Use PKIX Library to validate certificate by calling:</p><pclass="simpara"> * CERT_VerifyCertificate if specified once,</p><pclass="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><spanclass="term"><codeclass="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><spanclass="term"><codeclass="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><spanclass="term"><codeclass="option">-u </code><emclass="replaceable"><code>usage</code></em></span></dt><dd><p>
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
</p></dd><dt><spanclass="term"><codeclass="option">-T </code></span></dt><dd>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
</dd><dt><spanclass="term"><codeclass="option">-v </code></span></dt><dd>Verbose mode. Prints root cert subject(double the
argument for whole root cert info)
</dd><dt><spanclass="term"><codeclass="option">-w </code><emclass="replaceable"><code>password</code></em></span></dt><dd>Database password</dd><dt><spanclass="term"><codeclass="option">-W </code><emclass="replaceable"><code>pwfile</code></em></span></dt><dd>Password file</dd><dt><spanclass="term"><codeclass="option"></code></span></dt><dd><pclass="simpara">Revocation options for PKIX API (invoked with -pp options) is a
collection of the following flags:
[-g type [-h flags] [-m type [-s flags]] ...] ...</p><pclass="simpara">Where: </p></dd><dt><spanclass="term"><codeclass="option">-g </code><emclass="replaceable"><code>test-type</code></em></span></dt><dd>Sets status checking test type. Possible values
are "leaf" or "chain"
</dd><dt><spanclass="term"><codeclass="option">-g </code><emclass="replaceable"><code>test type</code></em></span></dt><dd>Sets status checking test type. Possible values
are "leaf" or "chain".
</dd><dt><spanclass="term"><codeclass="option">-h </code><emclass="replaceable"><code>test flags</code></em></span></dt><dd>Sets revocation flags for the test type it
follows. Possible flags: "testLocalInfoFirst" and
"requireFreshInfo".
</dd><dt><spanclass="term"><codeclass="option">-m </code><emclass="replaceable"><code>method type</code></em></span></dt><dd>Sets method type for the test type it follows.
Possible types are "crl" and "ocsp".
</dd><dt><spanclass="term"><codeclass="option">-s </code><emclass="replaceable"><code>method flags</code></em></span></dt><dd>Sets revocation flags for the method it follows.
Possible types are "doNotUse", "forbidFetching",
"ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
</dd></dl></div></div><divclass="refsection"><aname="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <aclass="ulink"href="http://www.mozilla.org/projects/security/pki/nss/"target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><divclass="refsection"><aname="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
</p></div><divclass="refsection"><aname="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.