It seems that CERTDB_TERMINAL_RECORD being set to true means that the trust record is authoritative, at which point it checks for either CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then the certificate is trusted, otherwise it is distrusted.
Throughout lib/certhigh/certvfy.c you'll see variations on:
case certUsageSSLCA:
flags = trust.sslFlags;
if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is * authoritative */
if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
/* don't trust this cert */ *failedFlags = flags;
return SECFailure;
}
}
break;
The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively. Without the latter two (that is, with just -t p ) the certificate is explicitly distrusted as per the latest online certutil documentation.
It seems that CERTDB_ TERMINAL_ RECORD being set to true means that the trust record is authoritative, at which point it checks for either CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then the certificate is trusted, otherwise it is distrusted.
Throughout lib/certhigh/ certvfy. c you'll see variations on:
case certUsageSSLCA: TERMINAL_ RECORD) { /* the trust record is
* authoritative */
*failedFla gs = flags;
flags = trust.sslFlags;
if (flags & CERTDB_
if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
/* don't trust this cert */
return SECFailure;
}
}
break;
The -t p option sets CERTDB_ TERMINAL_ RECORD while the -t P and -t C set CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively. Without the latter two (that is, with just -t p ) the certificate is explicitly distrusted as per the latest online certutil documentation.
It seems that the src man pages haven't been updated. An older version (from Sept 2014) at https:/ /developer. mozilla. org/en- US/docs/ Mozilla/ Projects/ NSS/Tools/ certutil agrees with the current man page in the src package.