msva-query-agent validates certificates for a given use by querying a
running Monkeysphere Validation Agent.
msva-query-agent reads a certificate from standard input, and posts it
to the running Monkeysphere Validation Agent. The return code
indicates the validity (as determined by the agent) of the certificate
for the specified purpose. The agent's return message (if any) is
emitted on stdout.
The first three command-line arguments are all required, supplied in
order, as follows:
Context in which the certificate is being validated (e.g. 'https',
The name of the intended peer. When validating a certificate for a
service, supply the host's full DNS name (e.g. 'foo.example.net')
The format of public key carrier data provided on standard input
(e.g. 'x509der', 'x509pem', 'opensshpubkey', 'rfc4716')
The fourth argument is optional:
The type of peer we are inquiring about (e.g. 'client', 'server')
If the certificate is valid for the requested peer in the given
context, the return code is 0. Otherwise, the return code is 1.
msva-query-agent's behavior is controlled by environment variables:
Log messages about its operation to stderr. MSVA_LOG_LEVEL controls
its verbosity, and should be one of (in increasing verbosity): silent,
quiet, fatal, error, info, verbose, debug, debug1, debug2, debug3.
Default is 'error'.
COMMUNICATION PROTOCOL DETAILS
Communications with the Monkeysphere Validation Agent are in the form
of JSON requests over plain HTTP. Responses from the agent are also
JSON objects. For details on the structure of the requests and
responses, please see