can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&.
.PP
The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&.
.SH"OPTIONS"
.PP
\fB\-a\fR
.RS4
the following certfile is base64 encoded
.RE
.PP
\fB\-b \fR\fIYYMMDDHHMMZ\fR
.RS4
Validate date (default: now)
.RE
.PP
\fB\-d \fR\fIdirectory\fR
.RS4
database directory
.RE
.PP
\fB\-f \fR
.RS4
Enable cert fetching from AIA URL
.RE
.PP
\fB\-o \fR\fIoid\fR
.RS4
Set policy OID for cert validation(Format OID\&.1\&.2\&.3)
.RE
.PP
\fB\-p \fR
.RS4
Use PKIX Library to validate certificate by calling:
.sp
* CERT_VerifyCertificate if specified once,
.sp
* CERT_PKIXVerifyCert if specified twice and more\&.
.RE
.PP
\fB\-r \fR
.RS4
Following certfile is raw binary DER (default)
.RE
.PP
\fB\-t\fR
.RS4
Following cert is explicitly trusted (overrides db trust)
.RE
.PP
\fB\-u \fR\fIusage\fR
.RS4
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
.RE
.PP
\fB\-T \fR
.RS4
Trust both explicit trust anchors (\-t) and the database\&. (Without this option, the default is to only trust certificates marked \-t, if there are any, or to trust the database if there are certificates marked \-t\&.)
.RE
.PP
\fB\-v \fR
.RS4
Verbose mode\&. Prints root cert subject(double the argument for whole root cert info)
.RE
.PP
\fB\-w \fR\fIpassword\fR
.RS4
Database password
.RE
.PP
\fB\-W \fR\fIpwfile\fR
.RS4
Password file
.RE
.PP
.RS4
Revocation options for PKIX API (invoked with \-pp options) is a collection of the following flags: [\-g type [\-h flags] [\-m type [\-s flags]] \&.\&.\&.] \&.\&.\&.
.sp
Where:
.RE
.PP
\fB\-g \fR\fItest\-type\fR
.RS4
Sets status checking test type\&. Possible values are "leaf" or "chain"
.RE
.PP
\fB\-g \fR\fItest type\fR
.RS4
Sets status checking test type\&. Possible values are "leaf" or "chain"\&.
.RE
.PP
\fB\-h \fR\fItest flags\fR
.RS4
Sets revocation flags for the test type it follows\&. Possible flags: "testLocalInfoFirst" and "requireFreshInfo"\&.
.RE
.PP
\fB\-m \fR\fImethod type\fR
.RS4
Sets method type for the test type it follows\&. Possible types are "crl" and "ocsp"\&.
.RE
.PP
\fB\-s \fR\fImethod flags\fR
.RS4
Sets revocation flags for the method it follows\&. Possible types are "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo"\&.
.RE
.SH"ADDITIONAL RESOURCES"
.PP
For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
