pki-val - Certificate validation using Reflection PKI Services Manager


pki-val cert-path [-b path] [-d level] [-h] [-t host] [-u user] [-V] [-w]


Validates a certificate to a running instance of Reflection PKI Services Manager, which provides X.509 validation services. The Reflection PKI Services Manager service must be running on the same computer. For information about configuring and launching this service, see pki_config(5) and pkid(8).

Note: The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.

Use cert-path to identify the certificate to validate. You can use -u, -t, or -w after the certificate name to get information about allowed identities for that certificate. For example, to determine if sample.crt is valid:

pki-val sample.crt

To determine if the user joe can authenticate using sample.crt:

pki-val sample.crt -u joe


-b path    --baseDir path

Specifies the data directory used for PKI Services Manager configuration.

-d level   --debug level

Specifies the amount of information sent to the log. Allowed values are: 'error', 'warn', 'info', 'debug', and 'trace'. The default is 'error'.

-h    --help

Displays a brief summary of command options.

-t host   --hostName host

PKI Services Manager reads the map file(s) and reports whether the specified host is an allowed identity for the host certificate being validated.

-u user   --userID user

PKI Services Manager reads the map file(s) and reports whether the specified user is an allowed identity for the user certificate being validated. If you include a server name (in the form user@server), PKI Services Manager reports on whether the user is allowed to authenticate to the specified server. If you specify only a user name, PKI Services Manager tests whether the user is allowed to authenticate with this certificate without checking for host-specific conditions.

-V    --version

Displays the product name and version.

-w [host  --whoAmI [host]

PKI Services Manager reads the identity map file(s) and returns a list of all allowed identities for the certificate being authenticated. If you specify a server name after this option, the list is limited to allowed users for connections to that server. If no server name is specified, PKI Services Manager doesn't check for server-specific conditions.


Copyright (C) 2013 Attachmate Corporation


pkid(8), pki_config(5), pki_mapfile(5)

Additional information is available online from the Reflection PKI Services Manager documentation web page:

And from the Attachmate support pages: