What did you do? ================ Trying to use CERT_PKIXVerifyCert to validate a certificate chain. Looking at the possible type/value pair in CertValInParam, I see cert_pi_certList (http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certt.h#898), which could be used to provide a certificate chain. So I set the type/value pair in CertValInParam array (code: http://pastebin.com/4BQsinXM where parse_cert is a function which returns a CERTCertificate and it is correctly working) What happened? ============== I get error -8187, SEC_ERROR_INVALID_ARGS. What should have happened? ========================== Accepting Argument without raising error Is there anything else we should know? ====================================== I try to investigate what happened by looking at the source code, and I find something likely to be wrong here (http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfypkix.c#1509). Indeed, there is a switch on the type of CertValInParam parameter (which is an element of the input array to CERT_PKIXVerifyCert), and cert_pi_CertList has not an associated case. Hence, the default case is matched, which set error SEC_ERROR_INVALID_ARGS and returns a failure. Hence, it seems this type/value pair cannot be used without raising the aforementioned error. And I claim that it's probably not the only type with this issue, also cert_pi_keyusage isn't checked in that switch, and should lead to the same error (even if I haven't tried it as an input).