certverify verifies that the invoker is in possession of the private key for the specified certificate.
certverify [-S servicename] tag [user-name]}
The certverify command verifies that the user is in possession of the private key for the specified certificate. Once the system verifies that the user is in possession of the private key, a signature is created for this certificate and associated with the certificate. A certificate that has not gone through this verification process is considered untrustworthy by AIX®.
The -S option specifies which end-entity services and libraries to use while verifying the certificate. Available services are defined in /usr/lib/security/pki/ca.cfg. When invoked without -S flag, certverify will use the default service, local. It is an error to specify a service name which does not have an entry in the /usr/lib/security/pki/ca.cfg file. The tag parameter uniquely selects one of the user's certificates. The username parameter specifies which AIX user is to be queried. The certverify command will issue a password prompt and request the user to enter the password of the keystore. The command may fail if it is unable to open /dev/tty for the current process.
Item | Description |
---|---|
-S servicename | Specifies which service module to use. |
Item | Description |
---|---|
0 | Successful completion. |
>0 | An error occured. |
This is a setuid command.
A user must prove that he has the possession of the private key matching the certificate he owns by knowing the password of the private keystore and the label that identifies the private key in the keystore.
Root and invokers belonging to group security are allowed to perform the verification operation, however, they can only successfully complete this operation if they have the knowledge of the label and the password to the keystore.
A non-privileged user is allowed to verify the possession of the private key only for the certificates they own.
Audit
This command records the following event information:
CERT_Verify <username>
$ certverify cert1 bob
/usr/lib/security/pki/acct.cfg