NSS tools : vfychain


   vfychain — vfychain [options] [revocation options] certfile [[options]
   certfile] ...




   The verification Tool, vfychain, verifies certificate chains. modutil can
   add and delete PKCS #11 modules, change passwords on security databases,
   set defaults, list module contents, enable or disable slots, enable or
   disable FIPS 140-2 compliance, and assign default providers for
   cryptographic operations. This tool can also create certificate, key, and
   module security database files.

   The tasks associated with security module database management are part of
   a process that typically also involves managing key databases and
   certificate databases.


           the following certfile is base64 encoded

           Validate date (default: now)

   -d directory
           database directory

           Enable cert fetching from AIA URL

   -o oid
           Set policy OID for cert validation(Format OID.1.2.3)


           Use PKIX Library to validate certificate by calling:

           * CERT_VerifyCertificate if specified once,

           * CERT_PKIXVerifyCert if specified twice and more.

           Following certfile is raw binary DER (default)

           Following cert is explicitly trusted (overrides db trust)

   -u usage

           0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email
           signer, 5=Email recipient, 6=Object signer,
           9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA

           Verbose mode. Prints root cert subject(double the argument for
           whole root cert info)

   -w password
           Database password

   -W pwfile
           Password file

           Revocation options for PKIX API (invoked with -pp options) is a
           collection of the following flags: [-g type [-h flags] [-m type
           [-s flags]] ...] ...


   -g test-type
           Sets status checking test type. Possible values are "leaf" or

   -g test type
           Sets status checking test type. Possible values are "leaf" or

   -h test flags
           Sets revocation flags for the test type it follows. Possible
           flags: "testLocalInfoFirst" and "requireFreshInfo".

   -m method type
           Sets method type for the test type it follows. Possible types are
           "crl" and "ocsp".

   -s method flags
           Sets revocation flags for the method it follows. Possible types
           are "doNotUse", "forbidFetching", "ignoreDefaultSrc",
           "requireInfo" and "failIfNoInfo".

Additional Resources

   For information about NSS and other tools related to NSS (like JSS), check
   out the NSS project wiki at
   [1]http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
   directly to NSS code changes and releases.

   Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

   IRC: Freenode at #dogtag-pki


   The NSS tools were written and maintained by developers with Netscape, Red
   Hat, and Sun.

   Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey


   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.


   Visible links
   1. http://www.mozilla.org/projects/security/pki/nss/