vfychain_ - vfychain [options] [revocation options] certfile [[options] certfile] ...

       For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and
       releases.

       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

       IRC: Freenode at #dogtag-pki

       The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and
       Google.

       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.

       The verification Tool, vfychain, verifies certificate chains.  modutil can add and delete PKCS #11
       modules, change passwords on security databases, set defaults, list module contents, enable or disable
       slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic
       operations. This tool can also create certificate, key, and module security database files.

       The tasks associated with security module database management are part of a process that typically also
       involves managing key databases and certificate databases.

       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this
       file, You can obtain one at http://mozilla.org/MPL/2.0/.

       vfychain_ - vfychain [options] [revocation options] certfile [[options] certfile] ...

        1. Mozilla NSS bug 836477
           https://bugzilla.mozilla.org/show_bug.cgi?id=836477

nss-tools                                          19 May 2021                                       VFYCHAIN(1)

-a
           the following certfile is base64 encoded

       -bYYMMDDHHMMZ
           Validate date (default: now)

       -ddirectory
           database directory

       -f
           Enable cert fetching from AIA URL

       -ooid
           Set policy OID for cert validation(Format OID.1.2.3)

       -p
           Use PKIX Library to validate certificate by calling:

           * CERT_VerifyCertificate if specified once,

           * CERT_PKIXVerifyCert if specified twice and more.

       -r
           Following certfile is raw binary DER (default)

       -t
           Following cert is explicitly trusted (overrides db trust)

       -uusage
           0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object
           signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA

       -T
           Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only
           trust certificates marked -t, if there are any, or to trust the database if there are certificates
           marked -t.)

       -v
           Verbose mode. Prints root cert subject(double the argument for whole root cert info)

       -wpassword
           Database password

       -Wpwfile
           Password file

           Revocation options for PKIX API (invoked with -pp options) is a collection of the following flags:
           [-g type [-h flags] [-m type [-s flags]] ...] ...

           Where:

       -gtest-type
           Sets status checking test type. Possible values are "leaf" or "chain"

       -gtesttype
           Sets status checking test type. Possible values are "leaf" or "chain".

       -htestflags
           Sets revocation flags for the test type it follows. Possible flags: "testLocalInfoFirst" and
           "requireFreshInfo".

       -mmethodtype
           Sets method type for the test type it follows. Possible types are "crl" and "ocsp".

       -smethodflags
           Sets revocation flags for the method it follows. Possible types are "doNotUse", "forbidFetching",
           "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".

       This documentation is still work in progress. Please contribute to the initial review in MozillaNSSbug836477[1]

vfychain