| blob | 40df936da2b63ffc24283880aedc9f081f9757a6 |
1 /*
2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33 /* $Id$ */
35 command = {
36 name = "list-oids"
37 help = "List known OIDs"
38 function = "hxtool_list_oids"
39 min_args="0"
40 max_args="0"
41 }
42 command = {
43 name = "cms-create-sd"
44 name = "cms-sign"
45 option = {
46 long = "certificate"
47 short = "c"
48 type = "strings"
49 argument = "certificate-store"
50 help = "certificate stores to pull certificates from"
51 }
52 option = {
53 long = "signer"
54 short = "s"
55 type = "string"
56 argument = "signer-friendly-name"
57 help = "certificate to sign with"
58 }
59 option = {
60 long = "anchors"
61 type = "strings"
62 argument = "certificate-store"
63 help = "trust anchors"
64 }
65 option = {
66 long = "pool"
67 type = "strings"
68 argument = "certificate-pool"
69 help = "certificate store to pull certificates from"
70 }
71 option = {
72 long = "pass"
73 type = "strings"
74 argument = "password"
75 help = "password, prompter, or environment"
76 }
77 option = {
78 long = "peer-alg"
79 type = "strings"
80 argument = "oid"
81 help = "oid that the peer support"
82 }
83 option = {
84 long = "content-type"
85 type = "string"
86 argument = "oid"
87 help = "content type oid"
88 }
89 option = {
90 long = "content-info"
91 type = "flag"
92 help = "wrapped out-data in a ContentInfo"
93 }
94 option = {
95 long = "pem"
96 type = "flag"
97 help = "wrap out-data in PEM armor"
98 }
99 option = {
100 long = "detached-signature"
101 type = "flag"
102 help = "create a detached signature"
103 }
104 option = {
105 long = "signer"
106 type = "-flag"
107 help = "do not sign"
108 }
109 option = {
110 long = "id-by-name"
111 type = "flag"
112 help = "use subject name for CMS Identifier"
113 }
114 option = {
115 long = "embedded-certs"
116 type = "-flag"
117 help = "don't embed certificates"
118 }
119 option = {
120 long = "embed-leaf-only"
121 type = "flag"
122 help = "only embed leaf certificate"
123 }
124 min_args="1"
125 max_args="2"
126 argument="in-file out-file"
127 help = "Wrap a file within a SignedData object"
128 }
129 command = {
130 name = "cms-verify-sd"
131 option = {
132 long = "anchors"
133 short = "D"
134 type = "strings"
135 argument = "certificate-store"
136 help = "trust anchors"
137 }
138 option = {
139 long = "certificate"
140 short = "c"
141 type = "strings"
142 argument = "certificate-store"
143 help = "certificate store to pull certificates from"
144 }
145 option = {
146 long = "pass"
147 type = "strings"
148 argument = "password"
149 help = "password, prompter, or environment"
150 }
151 option = {
152 long = "missing-revoke"
153 type = "flag"
154 help = "missing CRL/OCSP is ok"
155 }
156 option = {
157 long = "content-info"
158 type = "flag"
159 help = "unwrap in-data that's in a ContentInfo"
160 }
161 option = {
162 long = "pem"
163 type = "flag"
164 help = "unwrap in-data from PEM armor"
165 }
166 option = {
167 long = "signer-allowed"
168 type = "-flag"
169 help = "allow no signer"
170 }
171 option = {
172 long = "allow-wrong-oid"
173 type = "flag"
174 help = "allow wrong oid flag"
175 }
176 option = {
177 long = "signed-content"
178 type = "string"
179 help = "file containing content"
180 }
181 option = {
182 long = "oid-sym"
183 type = "flag"
184 help = "show symbolic name for OID"
185 }
186 min_args="1"
187 max_args="2"
188 argument="in-file [out-file]"
189 help = "Verify a file within a SignedData object"
190 }
191 command = {
192 name = "cms-unenvelope"
193 option = {
194 long = "certificate"
195 short = "c"
196 type = "strings"
197 argument = "certificate-store"
198 help = "certificate used to decrypt the data"
199 }
200 option = {
201 long = "pass"
202 type = "strings"
203 argument = "password"
204 help = "password, prompter, or environment"
205 }
206 option = {
207 long = "content-info"
208 type = "flag"
209 help = "wrapped out-data in a ContentInfo"
210 }
211 option = {
212 long = "allow-weak-crypto"
213 type = "flag"
214 help = "allow weak crypto"
215 }
216 min_args="2"
217 argument="in-file out-file"
218 help = "Unenvelope a file containing a EnvelopedData object"
219 }
220 command = {
221 name = "cms-envelope"
222 function = "cms_create_enveloped"
223 option = {
224 long = "certificate"
225 short = "c"
226 type = "strings"
227 argument = "certificate-store"
228 help = "certificates used to receive the data"
229 }
230 option = {
231 long = "pass"
232 type = "strings"
233 argument = "password"
234 help = "password, prompter, or environment"
235 }
236 option = {
237 long = "encryption-type"
238 type = "string"
239 argument = "enctype"
240 help = "enctype"
241 }
242 option = {
243 long = "content-type"
244 type = "string"
245 argument = "oid"
246 help = "content type oid"
247 }
248 option = {
249 long = "content-info"
250 type = "flag"
251 help = "wrapped out-data in a ContentInfo"
252 }
253 option = {
254 long = "allow-weak-crypto"
255 type = "flag"
256 help = "allow weak crypto"
257 }
258 min_args="2"
259 argument="in-file out-file"
260 help = "Envelope a file containing a EnvelopedData object"
261 }
262 command = {
263 name = "verify"
264 function = "pcert_verify"
265 option = {
266 long = "pass"
267 type = "strings"
268 argument = "password"
269 help = "password, prompter, or environment"
270 }
271 option = {
272 long = "allow-proxy-certificate"
273 type = "flag"
274 help = "allow proxy certificates"
275 }
276 option = {
277 long = "missing-revoke"
278 type = "flag"
279 help = "missing CRL/OCSP is ok"
280 }
281 option = {
282 long = "time"
283 type = "string"
284 help = "time when to validate the chain"
285 }
286 option = {
287 long = "verbose"
288 short = "v"
289 type = "flag"
290 help = "verbose logging"
291 }
292 option = {
293 long = "max-depth"
294 type = "integer"
295 help = "maximum search length of certificate trust anchor"
296 }
297 option = {
298 long = "hostname"
299 type = "string"
300 help = "match hostname to certificate"
301 }
302 argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2"
303 help = "Verify certificate chain"
304 }
305 command = {
306 name = "print"
307 function = "pcert_print"
308 option = {
309 long = "pass"
310 type = "strings"
311 argument = "password"
312 help = "password, prompter, or environment"
313 }
314 option = {
315 long = "content"
316 type = "flag"
317 help = "print the content of the certificates"
318 }
319 option = {
320 long = "raw-json"
321 type = "flag"
322 help = "print the DER content of the certificates as JSON"
323 }
324 option = {
325 long = "never-fail"
326 type = "flag"
327 help = "never fail with an error code"
328 }
329 option = {
330 long = "info"
331 type = "flag"
332 help = "print the information about the certificate store"
333 }
334 min_args="1"
335 argument="certificate ..."
336 help = "Print certificates"
337 }
338 command = {
339 name = "validate"
340 function = "pcert_validate"
341 option = {
342 long = "pass"
343 type = "strings"
344 argument = "password"
345 help = "password, prompter, or environment"
346 }
347 min_args="1"
348 argument="certificate ..."
349 help = "Validate content of certificates"
350 }
351 command = {
352 name = "certificate-copy"
353 name = "cc"
354 option = {
355 long = "in-pass"
356 type = "strings"
357 argument = "password"
358 help = "password, prompter, or environment"
359 }
360 option = {
361 long = "out-pass"
362 type = "string"
363 argument = "password"
364 help = "password, prompter, or environment"
365 }
366 option = {
367 long = "append"
368 type = "flag"
369 help = "append source to destination"
370 }
371 option = {
372 long = "root-certs"
373 type = "-flag"
374 help = "do not copy root certificates"
375 }
376 option = {
377 long = "private-keys"
378 type = "-flag"
379 help = "do not copy private keys"
380 }
381 min_args="2"
382 argument="in-certificates-1 ... out-certificate"
383 help = "Copy in certificates stores into out certificate store"
384 }
385 command = {
386 name = "ocsp-fetch"
387 option = {
388 long = "pass"
389 type = "strings"
390 argument = "password"
391 help = "password, prompter, or environment"
392 }
393 option = {
394 long = "sign"
395 type = "string"
396 argument = "certificate"
397 help = "certificate use to sign the request"
398 }
399 option = {
400 long = "url-path"
401 type = "string"
402 argument = "url"
403 help = "part after host in url to put in the request"
404 }
405 option = {
406 long = "nonce"
407 type = "-flag"
408 default = "1"
409 help = "don't include nonce in request"
410 }
411 option = {
412 long = "pool"
413 type = "strings"
414 argument = "certificate-store"
415 help = "pool to find parent certificate in"
416 }
417 min_args="2"
418 argument="outfile certs ..."
419 help = "Fetch OCSP responses for the following certs"
420 }
421 command = {
422 option = {
423 long = "ocsp-file"
424 type = "string"
425 help = "OCSP file"
426 }
427 name = "ocsp-verify"
428 min_args="1"
429 argument="certificates ..."
430 help = "Check that certificates are in OCSP file and valid"
431 }
432 command = {
433 name = "ocsp-print"
434 option = {
435 long = "verbose"
436 type = "flag"
437 help = "verbose"
438 }
439 min_args="1"
440 argument="ocsp-response-file ..."
441 help = "Print the OCSP responses"
442 }
443 command = {
444 name = "revoke-print"
445 option = {
446 long = "verbose"
447 type = "flag"
448 help = "verbose"
449 }
450 min_args="1"
451 argument="ocsp/crl files"
452 help = "Print the OCSP/CRL files"
453 }
454 command = {
455 name = "generate-key"
456 option = {
457 long = "type"
458 type = "string"
459 help = "keytype"
460 }
461 option = {
462 long = "key-bits"
463 type = "integer"
464 help = "number of bits in the generated key";
465 }
466 option = {
467 long = "verbose"
468 type = "flag"
469 help = "verbose status"
470 }
471 min_args="1"
472 max_args="1"
473 argument="output-file"
474 help = "Generate a private key"
475 }
476 command = {
477 name = "request-create"
478 option = {
479 long = "ca"
480 type = "flag"
481 help = "Request CA certificate"
482 }
483 option = {
484 long = "ca-path-length"
485 type = "integer"
486 help = "Path length constraint for CA certificate"
487 default = "-1"
488 }
489 option = {
490 long = "ee"
491 type = "flag"
492 help = "Include BasicConstraints w/ cA set to false"
493 }
494 option = {
495 long = "subject"
496 type = "string"
497 help = "Subject DN"
498 }
499 option = {
500 long = "eku"
501 type = "strings"
502 argument = "oid-string"
503 help = "Add Extended Key Usage OID"
504 }
505 option = {
506 long = "email"
507 type = "strings"
508 help = "Email address in SubjectAltName"
509 }
510 option = {
511 long = "jid"
512 type = "strings"
513 help = "XMPP (Jabber) address in SubjectAltName"
514 }
515 option = {
516 long = "dnsname"
517 type = "strings"
518 help = "Hostname or domainname in SubjectAltName"
519 }
520 option = {
521 long = "kerberos"
522 type = "strings"
523 help = "Kerberos principal name as SubjectAltName"
524 }
525 option = {
526 long = "ms-kerberos"
527 type = "strings"
528 help = "Kerberos principal name as SubjectAltName (Microsoft variant)"
529 }
530 option = {
531 long = "registered"
532 type = "strings"
533 help = "Registered object ID as SubjectAltName"
534 }
535 option = {
536 long = "dn"
537 type = "strings"
538 help = "Directory name as SubjectAltName"
539 }
540 option = {
541 long = "type"
542 type = "string"
543 help = "Type of request CRMF or PKCS10, defaults to PKCS10"
544 }
545 option = {
546 long = "key"
547 type = "string"
548 help = "Key-pair"
549 }
550 option = {
551 long = "generate-key"
552 type = "string"
553 help = "keytype"
554 }
555 option = {
556 long = "key-bits"
557 type = "integer"
558 help = "number of bits in the generated key";
559 }
560 option = {
561 long = "verbose"
562 type = "flag"
563 help = "verbose status"
564 }
565 min_args="1"
566 max_args="1"
567 argument="output-file"
568 help = "Create a CRMF or PKCS10 request"
569 }
570 command = {
571 name = "request-print"
572 option = {
573 long = "verbose"
574 type = "flag"
575 help = "verbose printing"
576 }
577 min_args="1"
578 argument="requests ..."
579 help = "Print requests"
580 }
581 command = {
582 name = "query"
583 option = {
584 long = "exact"
585 type = "flag"
586 help = "exact match"
587 }
588 option = {
589 long = "private-key"
590 type = "flag"
591 help = "search for private key"
592 }
593 option = {
594 long = "friendlyname"
595 type = "string"
596 argument = "name"
597 help = "match on friendly name"
598 }
599 option = {
600 long = "eku"
601 type = "string"
602 argument = "oid-string"
603 help = "match on EKU"
604 }
605 option = {
606 long = "expr"
607 type = "string"
608 argument = "expression"
609 help = "match on expression"
610 }
611 option = {
612 long = "keyEncipherment"
613 type = "flag"
614 help = "match keyEncipherment certificates"
615 }
616 option = {
617 long = "digitalSignature"
618 type = "flag"
619 help = "match digitalSignature certificates"
620 }
621 option = {
622 long = "print"
623 type = "flag"
624 help = "print matches"
625 }
626 option = {
627 long = "pass"
628 type = "strings"
629 argument = "password"
630 help = "password, prompter, or environment"
631 }
632 min_args="1"
633 argument="certificates ..."
634 help = "Query the certificates for a match"
635 }
636 command = {
637 name = "info"
638 }
639 command = {
640 name = "random-data"
641 min_args="1"
642 argument="bytes"
643 help = "Generates random bytes and prints them to standard output"
644 }
645 command = {
646 option = {
647 long = "type"
648 type = "string"
649 help = "type of CMS algorithm"
650 }
651 option = {
652 long = "oid-syms"
653 type = "flag"
654 help = "show symbolic names for OIDs"
655 }
656 name = "crypto-available"
657 min_args="0"
658 help = "Print available CMS crypto types"
659 }
660 command = {
661 option = {
662 long = "type"
663 type = "string"
664 help = "type of CMS algorithm"
665 }
666 option = {
667 long = "certificate"
668 type = "string"
669 help = "source certificate limiting the choices"
670 }
671 option = {
672 long = "peer-cmstype"
673 type = "strings"
674 help = "peer limiting cmstypes"
675 }
676 option = {
677 long = "oid-sym"
678 type = "flag"
679 help = "show symbolic name for OID"
680 }
681 name = "crypto-select"
682 min_args="0"
683 help = "Print selected CMS type"
684 }
685 command = {
686 option = {
687 long = "decode"
688 short = "d"
689 type = "flag"
690 help = "decode instead of encode"
691 }
692 name = "hex"
693 function = "hxtool_hex"
694 min_args="0"
695 help = "Encode input to hex"
696 }
697 command = {
698 option = {
699 long = "issue-ca"
700 type = "flag"
701 help = "Issue a CA certificate"
702 }
703 option = {
704 long = "issue-proxy"
705 type = "flag"
706 help = "Issue a proxy certificate"
707 }
708 option = {
709 long = "domain-controller"
710 type = "flag"
711 help = "Issue a MS domaincontroller certificate"
712 }
713 option = {
714 long = "subject"
715 type = "string"
716 help = "Subject of issued certificate"
717 }
718 option = {
719 long = "ca-certificate"
720 type = "string"
721 help = "Issuing CA certificate"
722 }
723 option = {
724 long = "self-signed"
725 type = "flag"
726 help = "Issuing a self-signed certificate"
727 }
728 option = {
729 long = "ca-private-key"
730 type = "string"
731 help = "Private key for self-signed certificate"
732 }
733 option = {
734 long = "certificate"
735 type = "string"
736 help = "Issued certificate"
737 }
738 option = {
739 long = "type"
740 type = "strings"
741 help = "Types of certificate to issue (can be used more then once)"
742 }
743 option = {
744 long = "lifetime"
745 type = "string"
746 help = "Lifetime of certificate"
747 }
748 option = {
749 long = "signature-algorithm"
750 type = "string"
751 help = "Signature algorithm to use"
752 }
753 option = {
754 long = "serial-number"
755 type = "string"
756 help = "serial-number of certificate"
757 }
758 option = {
759 long = "path-length"
760 default = "-1"
761 type = "integer"
762 help = "Maximum path length (CA and proxy certificates), -1 no limit"
763 }
764 option = {
765 long = "eku"
766 type = "strings"
767 argument = "oid-string"
768 help = "Add Extended Key Usage OID"
769 }
770 option = {
771 long = "ku"
772 type = "strings"
773 help = "Key Usage (digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly)"
774 }
775 option = {
776 long = "hostname"
777 type = "strings"
778 help = "DNS names this certificate is allowed to serve"
779 }
780 option = {
781 long = "dnssrv"
782 type = "strings"
783 help = "DNS SRV names this certificate is allowed to serve"
784 }
785 option = {
786 long = "email"
787 type = "strings"
788 help = "email addresses assigned to this certificate"
789 }
790 option = {
791 long = "pk-init-principal"
792 type = "strings"
793 help = "PK-INIT principal (for SAN)"
794 }
795 option = {
796 long = "ms-upn"
797 type = "string"
798 help = "Microsoft UPN (for SAN)"
799 }
800 option = {
801 long = "jid"
802 type = "string"
803 help = "XMPP jabber id (for SAN)"
804 }
805 option = {
806 long = "permanent-id"
807 type = "string"
808 help = "PermanentIdentifier ([oid]:[serial])"
809 }
810 option = {
811 long = "hardware-module-name"
812 type = "string"
813 help = "HardwareModuleName (oid:serial)"
814 }
815 option = {
816 long = "policy"
817 type = "strings"
818 help = "Certificate Policy OID and optional URI and/or notice (OID:URI<space>notice_text)"
819 }
820 option = {
821 long = "policy-mapping"
822 type = "strings"
823 help = "Certificate Policy mapping (OID:OID)"
824 }
825 option = {
826 long = "pkinit-max-life"
827 type = "string"
828 help = "maximum Kerberos ticket lifetime extension for PKINIT"
829 }
830 option = {
831 long = "req"
832 type = "string"
833 help = "certificate request"
834 }
835 option = {
836 long = "certificate-private-key"
837 type = "string"
838 help = "private-key"
839 }
840 option = {
841 long = "generate-key"
842 type = "string"
843 help = "keytype"
844 }
845 option = {
846 long = "key-bits"
847 type = "integer"
848 help = "number of bits in the generated key"
849 }
850 option = {
851 long = "crl-uri"
852 type = "string"
853 help = "URI to CRL"
854 }
855 option = {
856 long = "template-certificate"
857 type = "string"
858 help = "certificate"
859 }
860 option = {
861 long = "template-fields"
862 type = "string"
863 help = "flag"
864 }
865 name = "certificate-sign"
866 name = "cert-sign"
867 name = "issue-certificate"
868 name = "ca"
869 function = "hxtool_ca"
870 min_args="0"
871 help = "Issue a certificate"
872 }
873 command = {
874 name = "test-crypto"
875 option = {
876 long = "pass"
877 type = "strings"
878 argument = "password"
879 help = "password, prompter, or environment"
880 }
881 option = {
882 long = "verbose"
883 type = "flag"
884 help = "verbose printing"
885 }
886 min_args="1"
887 argument="certificates..."
888 help = "Test crypto system related to the certificates"
889 }
890 command = {
891 option = {
892 long = "type"
893 type = "integer"
894 help = "type of statistics"
895 }
896 name = "statistic-print"
897 min_args="0"
898 help = "Print statistics"
899 }
900 command = {
901 option = {
902 long = "signer"
903 type = "string"
904 help = "signer certificate"
905 }
906 option = {
907 long = "pass"
908 type = "strings"
909 argument = "password"
910 help = "password, prompter, or environment"
911 }
912 option = {
913 long = "crl-file"
914 type = "string"
915 help = "CRL output file"
916 }
917 option = {
918 long = "lifetime"
919 type = "string"
920 help = "time the crl will be valid"
921 }
922 name = "crl-sign"
923 min_args="0"
924 argument="certificates..."
925 help = "Create a CRL"
926 }
927 command = {
928 option = {
929 long = "verbose"
930 short = "v"
931 type = "flag"
932 help = "verbose"
933 }
934 option = {
935 long = "end-entity"
936 type = "flag"
937 help = "check the first EE certificate in the store"
938 }
939 option = {
940 long = "ca"
941 type = "flag"
942 help = "check the first CA certificate in the store"
943 }
944 option = {
945 long = "cert-num"
946 type = "integer"
947 default = "-1"
948 help = "check the nth certificate in the store"
949 }
950 option = {
951 long = "expr"
952 type = "string"
953 argument = "expression"
954 help = "test the first certificate matching expression"
955 }
956 option = {
957 long = "has-email-san"
958 short = "M"
959 type = "strings"
960 argument = "email-address"
961 help = "check that cert has email SAN"
962 }
963 option = {
964 long = "has-xmpp-san"
965 type = "strings"
966 short = "X"
967 argument = "jabber address"
968 help = "check that cert has XMPP SAN"
969 }
970 option = {
971 long = "has-ms-upn-san"
972 short = "U"
973 type = "strings"
974 argument = "UPN"
975 help = "check that cert has UPN SAN"
976 }
977 option = {
978 long = "has-dnsname-san"
979 short = "D"
980 type = "strings"
981 argument = "domainname"
982 help = "check that cert has domainname SAN"
983 }
984 option = {
985 long = "has-pkinit-san"
986 short = "P"
987 type = "strings"
988 argument = "Kerberos principal name"
989 help = "check that cert has PKINIT SAN"
990 }
991 option = {
992 long = "has-registeredID-san"
993 short = "R"
994 type = "strings"
995 argument = "OID"
996 help = "check that cert has registeredID SAN"
997 }
998 option = {
999 long = "has-eku"
1000 short = "E"
1001 type = "strings"
1002 argument = "OID"
1003 help = "check that cert has EKU"
1004 }
1005 option = {
1006 long = "has-ku"
1007 short = "K"
1008 type = "strings"
1009 argument = "key usage element"
1010 help = "check that cert has key usage"
1011 }
1012 option = {
1013 long = "exact"
1014 type = "flag"
1015 help = "check that cert has only given SANs/EKUs/KUs"
1016 }
1017 option = {
1018 long = "valid-now"
1019 short = "n"
1020 type = "flag"
1021 help = "check that current time is in certicate's validity period"
1022 }
1023 option = {
1024 long = "valid-at"
1025 type = "string"
1026 argument = "datetime"
1027 help = "check that the certificate is valid at given time"
1028 }
1029 option = {
1030 long = "not-after-eq"
1031 type = "string"
1032 argument = "datetime"
1033 help = "check that the certificate's notAfter is as given"
1034 }
1035 option = {
1036 long = "not-after-lt"
1037 type = "string"
1038 argument = "datetime"
1039 help = "check that the certificate's notAfter is before the given time"
1040 }
1041 option = {
1042 long = "not-after-gt"
1043 type = "string"
1044 argument = "datetime"
1045 help = "check that the certificate's notAfter is after the given time"
1046 }
1047 option = {
1048 long = "not-before-eq"
1049 type = "string"
1050 argument = "datetime"
1051 help = "check that the certificate's notBefore is as given"
1052 }
1053 option = {
1054 long = "not-before-lt"
1055 type = "string"
1056 argument = "datetime"
1057 help = "check that the certificate's notBefore is before the given time"
1058 }
1059 option = {
1060 long = "not-before-gt"
1061 type = "string"
1062 argument = "datetime"
1063 help = "check that the certificate's notBefore is after the given time"
1064 }
1065 option = {
1066 long = "has-private-key"
1067 type = "flag"
1068 help = "check that the certificate has a private key"
1069 }
1070 option = {
1071 long = "lacks-private-key"
1072 type = "flag"
1073 help = "check that the certificate does not have a private key"
1074 }
1075 name = "acert"
1076 min_args = "1"
1077 max_args = "1"
1078 argument = "certificate-store"
1079 help = "Assert certificate content"
1080 }
1081 command = {
1082 name = "help"
1083 name = "?"
1084 argument = "[command]"
1085 min_args = "0"
1086 max_args = "1"
1087 help = "Help! I need somebody"
1088 }