scion-pki certificate verify

Verify a certificate chain


‘verify’ verifies the certificate chains based on a trusted TRC.

The chain must be a PEM bundle with the AS certificate first, and the CA certificate second.

The ISD-AS property of the subject identified by the certificate (or in the case of a certificate chain, the leaf certificate) can be validated by specifying the –subject-isd-as flag and the expected ISD-AS value.

scion-pki certificate verify [flags]


scion-pki certificate verify --trc ISD1-B1-S1.trc,ISD1-B1-S2.trc ISD1-ASff00_0_110.pem
scion-pki certificate verify --trc ISD1-*.trc ISD1-ASff00_0_110.pem


    --currenttime int         Optional unix timestamp that sets the current time
-h, --help                    help for verify
    --subject-isd-as string   ISD-AS property of the subject of the certificate
    --trc strings             Comma-separated list of trusted TRC files or glob patterns. If more than two TRCs are specified,
                               only up to two active TRCs with the highest Base version are used (required)