Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

95 files changed, 11780 insertions, 0 deletions

diff --git a/security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst
new file mode 100644
index 0000000000..bc6e44a765
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst
@@ -0,0 +1,152 @@
+.. _mozilla_projects_nss_reference_building_and_installing_nss_build_instructions:
+
+Build instructions
+==================
+
+.. container::
+
+   .. note::
+
+      These instructions are outdated.  Use the :ref:`mozilla_projects_nss_building` page for more
+      recent information.
+
+   Numerous optional features of NSS builds are controlled through make variables.
+
+   gmake is GNU make, usually your Linux-distro-regular "make" binary file, unless maybe it is a BSD
+   make. Make variables may be set on the gmake command line, e.g.,
+
+   .. code::
+
+        gmake variable=value variable=value target1 target2
+
+   or defined in the environment, e.g. (for POSIX shells),
+
+   .. code::
+
+        variable=value; export variable
+        gmake target1 target2
+
+   Here are some (not all) of the make variables that affect NSS builds:
+
+   -  BUILD_OPT: If set to 1, means do optimized non-DEBUG build. Default is DEBUG, non-optimized
+      build.
+   -  USE_DEBUG_RTL: If set to 1, on Windows, causes build with debug version of the C run-time
+      library.
+   -  NS_USE_GCC: On platforms where gcc is not the native compiler, tells NSS to build with gcc
+      instead of the native compiler. Default is to build with the native compiler.
+   -  USE_64: On platforms that support both 32-bit and 64-bit ABIs, tells NSS to build for the
+      64-bit ABI. Default is 32-bit ABI, except on platforms that do not support a 32-bit ABI.
+   -  MOZ_DEBUG_SYMBOLS: tells NSS to build with debug symbols, even in an optimized build. On
+      windows, in both DEBUG and optimized builds, when using MSVC, tells NSS to put symbols in a
+      .pdb file. Required to build with MSVC 8 (2005 Express). Default is not to put debug symbols
+      into optimized builds, and for MSVC, is to put symbols into the .exe or .dll file.
+   -  NSDISTMODE: If set to 'copy', mozilla/dist/<OBJ_STUFF>/bin/\* real files instead of symbolic
+      links.
+
+   These variables should be either undefined, or set to "1". Results are undefined for variables
+   set to "0".
+
+   For Windows, install
+   the `MozillaBuild <https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites#mozillabuild>`__ environment
+   and Microsoft Visual Studio 2010. (The free edition works, and other versions like Visual Studio
+   2008 and Visual Studio 2012 may also work.) Use start-shell-msvc2010.bat from MozillaBuild to get
+   a bash shell with the PATH already configured, and execute these instructions from within that
+   bash shell.
+
+   For RHEL-5, you need to use the new assembler. You can install the new assembler as root as
+   follows:
+
+   .. code::
+
+      yum install binutils220
+
+   You can then use the new assembler by adding /usr/libexec/binutils220 to the beginning of your
+   build path. This can be done in sh or bash as follows:
+
+   .. code::
+
+      export PATH=/usr/libexec/binutils220:$PATH
+
+   The following build instructions should work for all platforms (with some platform-specific
+   changes as noted).
+
+.. _build_instructions_for_recent_versions_(mercurial):
+
+`Build Instructions for Recent Versions (Mercurial) <#build_instructions_for_recent_versions_(mercurial)>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   #. Clone the NSPR and NSS repositories.
+
+      .. code::
+
+         hg clone https://hg.mozilla.org/projects/nspr
+         hg clone https://hg.mozilla.org/projects/nss
+
+   #. If you want to build a releases other than the tips of these repositories, then switch to the
+      release tags:
+
+      .. code::
+
+         cd nspr
+         hg update NSPR_4_9_5_RTM
+         cd ../nss
+         hg update NSS_3_14_2_RTM
+         cd ..
+
+   #. Set environment variables:
+
+      #. If you want a non-debug optimized build, set ``BUILD_OPT=1`` in your environment.
+         Otherwise, you get a debug build. On Windows, if you want a debug build with the system's
+         debug RTL libraries, set ``USE_DEBUG_RTL=1`` in your environment.
+      #. On Unix platforms, except Alpha/OSF1, if you want a build for the system's 64-bit ABI, set
+         ``USE_64=1`` in your environment. By default, NSS builds for the 32-bit environment on all
+         platforms except Alpha/OSF1.
+      #. To build with ``gcc`` on platforms other than Linux and Windows, you need to set two more
+         environment variables:
+
+         -  ``NS_USE_GCC=1``
+            ``NO_MDUPDATE=1``
+
+      #. For HP-UX, you must set the environment variable ``USE_PTHREADS`` to 1.
+
+   #. ``cd nss``
+
+   #. ``gmake nss_build_all``
+
+   The output of the build will be in the ``dist`` directory alongside the ``nspr`` and ``nss``
+   directories.
+
+   For information on troubleshooting the build system, see
+   :ref:`mozilla_projects_nss_reference_troubleshoot`.
+
+.. _build_instructions_for_older_versions_(cvs):
+
+`Build Instructions for Older Versions (CVS) <#build_instructions_for_older_versions_(cvs)>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   #. Set the environment variable ``CVSROOT`` to
+      ``:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot``
+
+   #. ``cvs login`` (if you haven't before).
+
+   #. Check out NSPR and NSS:
+
+      .. code::
+
+         cvs co -r NSPR_4_9_5_RTM NSPR
+         cvs co -r NSS_3_14_2_RTM NSS
+
+   #. Set environment variables as described in the Mercurial-based instructions.
+
+   #. ``cd mozilla/security/nss``
+
+   #. ``gmake nss_build_all``
+
+   The output of the build will be in ``mozilla/dist`` subdirectory.
+
+   For information on troubleshooting the build system, see
+   :ref:`mozilla_projects_nss_reference_troubleshoot`.
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst
new file mode 100644
index 0000000000..c51a681b8a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst
@@ -0,0 +1,12 @@
+.. _mozilla_projects_nss_reference_building_and_installing_nss:
+
+Building and installing NSS
+===========================
+
+.. container::
+
+   This chapter describes how to build and install NSS.
+
+   -  :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
+   -  :ref:`mozilla_projects_nss_reference_building_and_installing_nss_installation_guide`
+   -  :ref:`mozilla_projects_nss_reference_building_and_installing_nss_sample_manual_installation`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst
new file mode 100644
index 0000000000..0a2f382e4b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst
@@ -0,0 +1,50 @@
+.. _mozilla_projects_nss_reference_building_and_installing_nss_installation_guide:
+
+Installation guide
+==================
+
+.. container::
+
+   The build system of NSS originated from Netscape's build system, which predated the "configure;
+   make; make test; make install" sequence that we're familiar with now. Our makefiles also have an
+   "install" target, but it has a different meaning: our "install" means installing the headers,
+   libraries, and programs in the appropriate directories under mozilla/dist.
+
+   So right now you need to manually install the headers, libraries, and programs in the directories
+   you want. If you install the libraries in a directory other than /usr/lib, you usually need to
+   set the LD_LIBRARY_PATH environment variable. You can avoid that by installing the libraries in a
+   directory that is $ORIGIN/../lib, where $ORIGIN is the directory where the programs are
+   installed. This is done here:
+   `http://lxr.mozilla.org/security/sour...platlibs.mk#53 <http://lxr.mozilla.org/security/source/security/nss/cmd/platlibs.mk#53>`__
+
+   .. code::
+
+      53 ifeq ($(OS_ARCH), Linux)
+      54 ifeq ($(USE_64), 1)
+      55 EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
+      56 else
+      57 EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
+      58 endif
+      59 endif
+
+   For example, if you install certutil in /foo/bar/nss/bin and the .so's in /foo/bar/nss/lib, then
+   you only need to add /foo/bar/nss/bin to your PATH; you don't need to set LD_LIBRARY_PATH.
+
+   The libraries you need to install are listed below.
+
+   NSPR:
+
+   -  libnspr4.so
+   -  libplds4.so
+   -  libplc4.so
+
+   NSS: (Note the use of \* for libfreebl -- some platforms have multiple ones)
+
+   -  libfreebl*3.so
+   -  libfreebl*3.chk
+   -  libsoftokn3.so
+   -  libsoftokn3.chk
+   -  libnss3.so
+   -  libsmime3.so
+   -  libssl3.so
+   -  libnssckbi.so
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst
new file mode 100644
index 0000000000..11bd04eabe
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst
@@ -0,0 +1,49 @@
+.. _mozilla_projects_nss_reference_building_and_installing_nss_migration_to_hg:
+
+Migration to HG
+===============
+
+.. container::
+
+   | The NSPR, NSS and related projects have stopped using Mozilla'a CVS server, but have migrated
+     to
+   | Mozilla's HG (Mercurial) server.
+   | Each project now lives in its own separate space, they can be found at:
+   |    https://hg.mozilla.org/projects/nspr/
+   |    https://hg.mozilla.org/projects/nss/
+   |    https://hg.mozilla.org/projects/jss/
+   |   https://hg.mozilla.org/projects/python-nss/
+
+   | This migration has been used as an opportunity to change the layout of the
+   | source directories.
+   | For NSPR, "mozilla/nsprpub" has been removed from the directory
+   | hierarchy, all files now live in the top directory of the NSPR
+   | repository.
+   | Likewise for NSS and JSS, "mozilla/security" has been removed and files
+   | now live at the top level. In addition for NSS, we have merged the
+   | contents of directories mozilla/dbm and mozilla/security/dbm into the
+   | new directory lib/dbm.
+   | Besides the new layout, the build system hasn't changed. Most parts of
+   | the NSS build instructions remain valid, especially the instructions
+   | about setting environment variables.
+   | Updated instructions for building NSS with NSPR can be found at:
+   | :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`
+   | It's best to refer to the above document to learn about the various
+   | environment variables that you might have to set to build on your
+   | platform (this part hasn't changed).
+   | However, below is a brief summary that shows how to checkout the
+   | source code and build both NSPR and NSS:
+   |   mkdir workarea
+   |   cd workarea
+   |   hg clone https://hg.mozilla.org/projects/nspr
+   |   hg clone https://hg.mozilla.org/projects/nss
+   |   cd nss
+   |   # set USE_64=1 on 64 bit architectures
+   |   # set BUILD_OPT=1 to get an optimized build
+   |   make nss_build_all
+   | Note that the JSS project has been given a private copy of the former
+   | mozilla/security/coreconf directory, allowing it to remain stable,
+   | and only update its build system as necessary.
+   | Because of the changes described above, we have decided to use a new
+   | series of (minor) version numbers. The first releases using the new code
+   | layout will be NSPR 4.10 and NSS 3.15
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst
new file mode 100644
index 0000000000..bc570c2e13
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst
@@ -0,0 +1,27 @@
+.. _mozilla_projects_nss_reference_building_and_installing_nss_sample_manual_installation:
+
+Sample manual installation
+==========================
+
+.. container::
+
+   |
+   | The NSS build system does not include a target to install header files and shared libraries in
+     the system directories, so this needs to be done manually.
+
+   After building NSS with *"gmake nss_build_all"*, the resulting build can be found in the NSS
+   source tree as follows:
+
+   -  NSS header files: *mozilla/dist/public/nss*
+   -  NSPR header files: *mozilla/dist/*\ **<OBJ-DIR>**\ */include*
+   -  NSPR/NSS shared libs: *mozilla/dist/*\ **<OBJ-DIR>**\ */lib*
+   -  NSS binary executables: *mozilla/dist/*\ **<OBJ-DIR>**\ */bin*.
+
+   where **<OBJ-DIR>** would vary according to the type of build and the platform. For example,
+   **<OBJ-DIR>** for a debug build of NSS on the x86 platform with a Linux kernel version 2.6 with
+   glibc would be: Linux2.6_x86_glibc_PTH_DBG.OBJ
+
+   From these directories, you can copy the files to any system (or other) directory. If the
+   destination directories are not what's standard for the system (e.g. /usr/include, /usr/lib and
+   /usr/bin for a Linux system), you need to edit the corresponding environment variables or
+   compiler/linker arguments.
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst b/security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst
new file mode 100644
index 0000000000..8923feba1d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst
@@ -0,0 +1,61 @@
+.. _mozilla_projects_nss_reference_fc_cancelfunction:
+
+FC_CancelFunction
+=================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_CancelFunction - cancel a function running in parallel
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_CancelFunction(
+        CK_SESSION_HANDLE hSession
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Parallel functions are not implemented. ``FC_CancelFunction`` is a legacy function that simply
+   returns ``CKR_FUNCTION_NOT_PARALLEL``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_CancelFunction`` always returns ``CKR_FUNCTION_NOT_PARALLEL``.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_CancelFunction </en-US/NSC_CancelFunction>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst b/security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst
new file mode 100644
index 0000000000..bbfa703fcb
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst
@@ -0,0 +1,66 @@
+.. _mozilla_projects_nss_reference_fc_closeallsessions:
+
+FC_CloseAllSessions
+===================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_CloseAllSessions - close all sessions between an application and a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_CloseAllSessions(
+        CK_SLOT_ID slotID
+       );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``slotID``
+      [in] the ID of the token's slot.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_CloseAllSessions`` closes all sessions between an application and the token in the slot with
+   the ID ``slotID``.
+
+   The NSS cryptographic module currently doesn't call the surrender callback function ``Notify``.
+   (See PKCS #11 v2.20 section 11.17.1.)
+
+   A user may call ``FC_CloseAllSessions`` without logging into the token (to assume the NSS User
+   role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_closesession`,
+      `NSC_CloseAllSessions </en-US/NSC_CloseAllSessions>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_closesession/index.rst b/security/nss/doc/rst/legacy/reference/fc_closesession/index.rst
new file mode 100644
index 0000000000..ef3d9c6992
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_closesession/index.rst
@@ -0,0 +1,60 @@
+.. _mozilla_projects_nss_reference_fc_closesession:
+
+FC_CloseSession
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_CloseSession - close a session opened between an application and a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_CloseSession(
+        CK_SESSION_HANDLE hSession
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] the session handle to be closed.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_CloseSession`` closes a session between an application and a token.
+
+   A user may call ``FC_CloseSession`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_opensession`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst b/security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst
new file mode 100644
index 0000000000..11cbb9574a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_reference_fc_copyobject:
+
+FC_CopyObject
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_CopyObject - create a copy of an object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_CopyObject(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hObject,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usCount,
+        CK_OBJECT_HANDLE_PTR phNewObject
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hObject``
+      [in] object handle.
+   ``pTemplate``
+      [in] object template.
+   ``usCount``
+      [in] number of attributes in the template.
+   ``phnewObject``
+      [out] pointer to location to receive the new object's handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_CopyObject`` creates a copy of an object using the attributes specified in the template.
+
+   A user must log into the token (to assume the NSS User role) before copying a secret or private
+   key object.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_destroyobject`,
+      `NSC_CopyObject </en-US/NSC_CopyObject>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_createobject/index.rst b/security/nss/doc/rst/legacy/reference/fc_createobject/index.rst
new file mode 100644
index 0000000000..c4157db64c
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_createobject/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_createobject:
+
+FC_CreateObject
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_CreateObject - create a new object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_CreateObject(
+        CK_SESSION_HANDLE hSession,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG ulCount,
+        CK_OBJECT_HANDLE_PTR phObject
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pTemplate``
+      [in] object template.
+   ``ulCount``
+      [in] number of attributes in the template.
+   ``phObject``
+      [out] pointer to location to receive the new objects handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_CreateObject`` creates an object using the attributes specified in the template.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_CreateObject``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_destroyobject`,
+      `NSC_CreateObject </en-US/NSC_CreateObject>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst b/security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst
new file mode 100644
index 0000000000..5984a546f4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_reference_fc_decrypt:
+
+FC_Decrypt
+==========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Decrypt - Decrypt a block of data.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Decrypt(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pEncryptedData,
+        CK_ULONG usEncryptedDataLen,
+        CK_BYTE_PTR pData,
+        CK_ULONG_PTR pusDataLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pEncryptedData``
+      [in] pointer to encrypted data block.
+   ``usEncryptedDataLen``
+      [in] length of the data in bytes.
+   ``pData``
+      [out] pointer to location where recovered data is to be stored.
+   ``pusDataLen``
+      [in,out] pointer to location where the length of recovered data is to be stored.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Decrypt`` decrypts a block of data according to the attributes of the previous call to
+   ``FC_DecryptInit``.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_Decrypt``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptinit`, `NSC_Decrypt </en-US/NSC_Decrypt>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst
new file mode 100644
index 0000000000..4eae1c7f37
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_reference_fc_decryptdigestupdate:
+
+FC_DecryptDigestUpdate
+======================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DecryptDigestUpdate - continue a multi-part decrypt and digest operation
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DecryptDigestUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pEncryptedPart,
+        CK_ULONG ulEncryptedPartLen,
+        CK_BYTE_PTR pPart,
+        CK_ULONG_PTR pulPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pEncryptedPart``
+      [in] pointer to the encrypted data part.
+   ``ulEncryptedPartLen``
+      [in] length of encrypted data in bytes.
+   ``pPart``
+      [in] pointer to the location which receives the recovered data part or NULL.
+   ``pulPartLen``
+      [in] pointer to the length of the recovered part buffer.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DecryptDigestUpdate`` continues a multi-part decrypt and digest operation. After calling
+   both ``FC_DecryptInit`` and ``FC_DigestInit`` to set up the operations this function may be
+   called multiple times. The operation is finished by calls to ``FC_DigestFinal`` and
+   ``FC_DecryptFinal``.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_DecryptDigestUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DecryptDigestUpdate </en-US/NSC_DecryptDigestUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst
new file mode 100644
index 0000000000..63ec6f575d
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst
@@ -0,0 +1,67 @@
+.. _mozilla_projects_nss_reference_fc_decryptfinal:
+
+FC_DecryptFinal
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DecryptFinal - finish a multi-part decryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DecryptFinal(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pLastPart,
+        CK_ULONG_PTR pusLastPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pLastPart``
+      [out] pointer to the location where the last block of recovered data, if any, is to be stored.
+   ``pusLastPartLen``
+      [in,out] pointer to location where the number of bytes of recovered data is to be stored.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DecryptFinal`` returns the last block of data of a multi-part decryption operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_DecryptFinal``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptinit`,
+      `NSC_DecryptFinal </en-US/NSC_DecryptFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst
new file mode 100644
index 0000000000..05540da07b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst
@@ -0,0 +1,66 @@
+.. _mozilla_projects_nss_reference_fc_decryptinit:
+
+FC_DecryptInit
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DecryptInit - initialize a decryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DecryptInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for the subsequent decryption operation.
+   ``hKey``
+      [in] handle of the key to be used.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DecryptInit`` initializes a decryption operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_DecryptInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DecryptInit </en-US/NSC_DecryptInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst
new file mode 100644
index 0000000000..75d39b379c
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_reference_fc_decryptupdate:
+
+FC_DecryptUpdate
+================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DecryptUpdate - decrypt a block of a multi-part encryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DecryptUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pEncryptedPart,
+        CK_ULONG usEncryptedPartLen,
+        CK_BYTE_PTR pPart,
+        CK_ULONG_PTR pusPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pEncryptedPart``
+      [in] pointer to the next block of data to be decrypted.
+   ``usEncryptedPartLen``
+      [in] length of data block in bytes.
+   ``pPart``
+      [out] pointer to location where recovered block is to be stored.
+   ``pusPartLen``
+      [in,out] pointer the location where the number of bytes of recovered data is to be stored.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DecryptUpdate`` decrypts a block of data according to the attributes of the previous call to
+   ``FC_DecryptInit``. The block may be part of a multi-part decryption operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_DecryptUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptinit`,
+      `NSC_DecryptUpdate </en-US/NSC_DecryptUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst
new file mode 100644
index 0000000000..1e8818be26
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_reference_fc_decryptverifyupdate:
+
+FC_DecryptVerifyUpdate
+======================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DecryptVerifyUpdate - continue a multi-part decrypt and verify operation
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DecryptVerifyUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pEncryptedData,
+        CK_ULONG ulEncryptedDataLen,
+        CK_BYTE_PTR pData,
+        CK_ULONG_PTR pulDataLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pEncryptedData``
+      [in] pointer to the encrypted data part.
+   ``ulEncryptedDataLen``
+      [in] length of encrypted data in bytes.
+   ``pData``
+      [in] pointer to the location which receives the recovered data part or NULL.
+   ``pulDataLen``
+      [in] pointer to the length of the recovered part buffer.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DecryptVerifyUpdate`` continues a multi-part decryption and signature verification
+   operation. After calling both ``FC_DecryptInit`` and ``FC_VerifyInit`` to set up the operations
+   this function may be called multiple times. The operation is finished by calls to
+   ``FC_DecryptFinal`` and ``FC_VerifyFinal``.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_DecryptVerifyUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DecryptVerifyUpdate </en-US/NSC_DecryptVerifyUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst b/security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst
new file mode 100644
index 0000000000..85166ef998
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst
@@ -0,0 +1,77 @@
+.. _mozilla_projects_nss_reference_fc_derivekey:
+
+FC_DeriveKey
+============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DeriveKey - derive a key from a base key
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DeriveKey(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hBaseKey,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usAttributeCount,
+        CK_OBJECT_HANDLE_PTR phKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] pointer to the mechanism to use.
+   ``hBaseKey``
+      [in] handle of the base key.
+   ``pWrappedKey``
+      [in] pointer to the wrapped key.
+   ``pTemplate``
+      [in] pointer to the list of attributes for the new key.
+   ``usAttributeCount``
+      [in] number of attributes in the template.
+   ``phKey``
+      [out] pointer to the location to receive the handle of the new key.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DeriveKey`` derives (decrypts) a key and creates a new key object.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_DeriveKey``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DeriveKey </en-US/NSC_DeriveKey>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst b/security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst
new file mode 100644
index 0000000000..e1e2de10a8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst
@@ -0,0 +1,64 @@
+.. _mozilla_projects_nss_reference_fc_destroyobject:
+
+FC_DestroyObject
+================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DestroyObject - destroy an object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DestroyObject(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hObject
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hObject``
+      [in] object handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DestroyObject`` destroys an object.
+
+   A user must log into the token (to assume the NSS User role) before destroying a secret or
+   private key object.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DestroyObject </en-US/NSC_DestroyObject>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digest/index.rst b/security/nss/doc/rst/legacy/reference/fc_digest/index.rst
new file mode 100644
index 0000000000..8017f4958b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digest/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_reference_fc_digest:
+
+FC_Digest
+=========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Digest - digest a block of data.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Digest(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG usDataLen,
+        CK_BYTE_PTR pDigest,
+        CK_ULONG_PTR pusDigestLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pData``
+      [in] pointer to data block.
+   ``usDataLen``
+      [in] length of the data in bytes.
+   ``pDigest``
+      [out] pointer to location where recovered data is to be stored.
+   ``pusDigestLen``
+      [in, out] pointer to the maximum size of the output buffer, replaced by the length of the
+      message digest if the operation is successful.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Digest`` digests a message in a single operation according to the attributes of the previous
+   call to ``FC_DigestInit``.
+
+   A user may call ``FC_Digest`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestinit`, `NSC_Digest </en-US/NSC_Digest>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst
new file mode 100644
index 0000000000..0fa553f525
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_reference_fc_digestencryptupdate:
+
+FC_DigestEncryptUpdate
+======================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DigestEncryptUpdate - continue a multi-part digest and encryption operation
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DigestEncryptUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG ulPartLen,
+        CK_BYTE_PTR pEncryptedPart,
+        CK_ULONG_PTR pulEncryptedPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the data part.
+   ``ulPartLen``
+      [in] length of data in bytes.
+   ``pEncryptedPart``
+      [in] pointer to the location which receives the digested and encrypted part or NULL.
+   ``pulEncryptedPartLen``
+      [in] pointer to the length of the encrypted part buffer.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DigestEncryptUpdate`` continues a multi-part digest and encryption operation. After calling
+   both ``FC_DigestInit`` and ``FC_EncryptInit`` to set up the operations this function may be
+   called multiple times. The operation is finished by calls to ``FC_DigestFinal`` and
+   ``FC_EncryptFinal`` in that order.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_DigestEncryptUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DigestEncryptUpdate </en-US/NSC_DigestEncryptUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst
new file mode 100644
index 0000000000..695865f686
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_reference_fc_digestfinal:
+
+FC_DigestFinal
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DigestFinal - finish a multi-part digest operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DigestFinal(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pDigest,
+        CK_ULONG_PTR pulDigestLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pDigest``
+      [out] pointer to the buffer which will receive the digest or NULL.
+   ``pulDigestLen``
+      [in, out] pointer to location containing the maximum buffer size.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DigestFinal`` finishes a multi-part digest operation by returning the complete digest and
+   clearing the operation context. If ``pDigest`` is NULL the length of the digest is returned and
+   ``FC_DigestFinal`` may be called again with ``pDigest`` set to retrieve the digest.
+
+   A user may call ``FC_DigestFinal`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestinit`,
+      `NSC_DigestFinal </en-US/NSC_DigestFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst
new file mode 100644
index 0000000000..012643d57f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst
@@ -0,0 +1,63 @@
+.. _mozilla_projects_nss_reference_fc_digestinit:
+
+FC_DigestInit
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DigestInit - initialize a message-digest operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DigestInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for the subsequent digest operation.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DigestInit`` initializes a message-digest operation.
+
+   A user may call ``FC_DigestInit`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_DigestInit </en-US/NSC_DigestInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst b/security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst
new file mode 100644
index 0000000000..4b558bb238
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst
@@ -0,0 +1,66 @@
+.. _mozilla_projects_nss_reference_fc_digestkey:
+
+FC_DigestKey
+============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DigestKey - add the digest of a key to a multi-part digest operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DigestKey(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hKey``
+      [in] handle of the key to be digested.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DigestKey`` continues a multi-part digest operation by digesting the value of a secret key.
+   The digest for the entire message is returned by a call to
+   :ref:`mozilla_projects_nss_reference_fc_digestfinal`.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_DigestKey``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestinit`,
+      :ref:`mozilla_projects_nss_reference_fc_digestfinal`, `NSC_DigestKey </en-US/NSC_DigestKey>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst
new file mode 100644
index 0000000000..9650600465
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_digestupdate:
+
+FC_DigestUpdate
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_DigestUpdate - process the next block of a multi-part digest operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_DigestUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG usPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the next block of data to be digested.
+   ``usPartLen``
+      [in] length of data block in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_DigestUpdate`` starts or continues a multi-part digest operation. One or more blocks may be
+   part of the message digest operation. The digest for the entire message is returned by a call to
+   :ref:`mozilla_projects_nss_reference_fc_digestfinal`.
+
+   A user may call ``FC_DigestUpdate`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestinit`,
+      :ref:`mozilla_projects_nss_reference_fc_digestfinal`,
+      `NSC_DigestUpdate </en-US/NSC_DigestUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst b/security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst
new file mode 100644
index 0000000000..33e61612a7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_reference_fc_encrypt:
+
+FC_Encrypt
+==========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Encrypt - Encrypt a block of data.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Encrypt(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG usDataLen,
+        CK_BYTE_PTR pEncryptedData,
+        CK_ULONG_PTR pusEncryptedDataLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pData``
+      [in] pointer to the data buffer
+   ``usDataLen``
+      [in] length of the data buffer in bytes.
+   ``pEncryptedData``
+      [out] pointer to location where encrypted data is to be stored.
+   ``pusEncryptedDataLen``
+      [in/out] number of bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Encrypt`` encrypts a block of data according to the attributes of the previous call to
+   ``FC_EncryptInit``.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_Encrypt``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptinit`, `NSC_Encrypt </en-US/NSC_Encrypt>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst
new file mode 100644
index 0000000000..05bab1f646
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_reference_fc_encryptfinal:
+
+FC_EncryptFinal
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_EncryptFinal - finish a multi-part encryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_EncryptFinal(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pLastEncryptedPart,
+        CK_ULONG_PTR pusLastEncryptedPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pLastEncryptedPart``
+      [out] pointer to the location that receives the last encrypted data part, if any
+   ``pusLastEncryptedPartLen``
+      [in,out] pointer to location where the number of bytes of the last encrypted data part is to
+      be stored.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_EncryptFinal`` returns the last block of data of a multi-part encryption operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_EncryptFinal``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptinit`,
+      `NSC_EncryptFinal </en-US/NSC_EncryptFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst
new file mode 100644
index 0000000000..6ca0b8dee4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_reference_fc_encryptinit:
+
+FC_EncryptInit
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_EncryptInit - initialize an encryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_EncryptInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] handle to the session.
+   ``pMechanism``
+      [in] pointer to the mechanism to be used for subsequent encryption.
+   ``hKey``
+      [in] handle of the encryption key.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_EncryptInit`` initializes an encryption operation with the mechanism and key to be used.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_EncryptInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+      Slot information was successfully copied.
+   ``CKR_SLOT_ID_INVALID``
+      The specified slot number is out of the defined range of values.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_EncryptInit </en-US/NSC_EncryptInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst
new file mode 100644
index 0000000000..0cc9a7eafd
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_reference_fc_encryptupdate:
+
+FC_EncryptUpdate
+================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_EncryptUpdate - encrypt a block of a multi-part encryption operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_EncryptUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG usPartLen,
+        CK_BYTE_PTR pEncryptedPart,
+        CK_ULONG_PTR pusEncryptedPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the next block of data to be encrypted.
+   ``usPartLen``
+      [in] length of data block in bytes.
+   ``pEncryptedPart``
+      [out] pointer to location where encrypted block is to be stored.
+   ``pusEncryptedPartaLen``
+      [out] pointer the location where the number of bytes of encrypted data is to be stored.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_EncryptUpdate`` encrypts a block of data according to the attributes of the previous call to
+   ``FC_EncryptInit``. The block may be part of a multi-part encryption operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_EncryptUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptinit`,
+      `NSC_EncryptUpdate </en-US/NSC_EncryptUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_finalize/index.rst b/security/nss/doc/rst/legacy/reference/fc_finalize/index.rst
new file mode 100644
index 0000000000..a6bf07b87f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_finalize/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_reference_fc_finalize:
+
+FC_Finalize
+===========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Finalize - indicate that an application is done with the PKCS #11 library.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Finalize (CK_VOID_PTR pReserved);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Finalize`` has one parameter:
+
+   ``pReserved``
+      must be ``NULL``
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Finalize`` shuts down the :ref:`mozilla_projects_nss_reference_nss_cryptographic_module` in
+   the :ref:`mozilla_projects_nss_reference_nss_cryptographic_module_fips_mode_of_operation`. If the
+   library is not initialized, it does nothing.
+
+   The ``pReserved`` argument is not used and must be ``NULL``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Finalize`` always returns ``CKR_OK``.
+
+   .. note::
+
+      ``FC_Finalize`` should check the ``pReserved`` argument and return ``CKR_ARGUMENTS_BAD`` if
+      ``pReserved`` is not ``NULL``.
+
+      ``FC_Finalize`` should return ``CKR_CRYPTOKI_NOT_INITIALIZED`` if the library is not
+      initialized.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      #include <assert.h>
+
+      CK_FUNCTION_LIST_PTR pFunctionList;
+      CK_RV crv;
+
+      crv = FC_GetFunctionList(&pFunctionList);
+      assert(crv == CKR_OK);
+
+      ...
+
+      /* invoke FC_Finalize as pFunctionList->C_Finalize */
+      crv = pFunctionList->C_Finalize(NULL);
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_initialize`,
+      `NSC_Initialize </en-US/NSC_Initialize>`__, `NSC_Finalize </en-US/NSC_Finalize>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst b/security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst
new file mode 100644
index 0000000000..09298c4b94
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_findobjects:
+
+FC_FindObjects
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_FindObjects - Search for one or more objects
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_FindObjects(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE_PTR phObject,
+        CK_ULONG usMaxObjectCount,
+        CK_ULONG_PTR pusObjectCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pTemplate``
+      [out] pointer to location to receive the object handles.
+   ``usMaxObjectCount``
+      [in] maximum number of handles to retrieve.
+   ``pusObjectCount``
+      [out] pointer to location to receive the number of returned handles.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_FindObjects`` returns the next set of object handles matching the criteria set up by the
+   previous call to ``FC_FindObjectsInit`` and sets the object count variable to their number or to
+   zero if there are none.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjectsinit`,
+      `NSC_FindObjects </en-US/NSC_FindObjects>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst
new file mode 100644
index 0000000000..0d6ed54df6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst
@@ -0,0 +1,59 @@
+.. _mozilla_projects_nss_reference_fc_findobjectsfinal:
+
+FC_FindObjectsFinal
+===================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_FindObjectsFinal - terminate an object search.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_FindObjectsFinal(
+        CK_SESSION_HANDLE hSession,
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Clears the object search criteria for a session.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjects`,
+      `NSC_FindObjectsFinal </en-US/NSC_FindObjectsFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst
new file mode 100644
index 0000000000..cbd9a59fa3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_findobjectsinit:
+
+FC_FindObjectsInit
+==================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_FindObjectsInit - initialize the parameters for an object search.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_FindObjectsInit(
+        CK_SESSION_HANDLE hSession,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pTemplate``
+      [in] pointer to template.
+   ``usCount``
+      [in] number of attributes in the template.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_FindObjectsInit`` sets the attribute list for an object search. If ``FC_FindObjectsInit`` is
+   successful ``FC_FindObjects`` may be called one or more times to retrieve handles of matching
+   objects.
+
+   A user must log into the token (to assume the NSS User role) before searching for secret or
+   private key objects.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjects`,
+      `NSC_FindObjectsInit </en-US/NSC_FindObjectsInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst b/security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst
new file mode 100644
index 0000000000..47a45816e8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst
@@ -0,0 +1,73 @@
+.. _mozilla_projects_nss_reference_fc_generatekey:
+
+FC_GenerateKey
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GenerateKey - generate a new key
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GenerateKey(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG ulCount,
+        CK_OBJECT_HANDLE_PTR phKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] pointer to the mechanism to use.
+   ``pTemplate``
+      [in] pointer to the template for the new key.
+   ``ulCount``
+      [in] number of attributes in the template.
+   ``phKey``
+      [out] pointer to the location to receive the handle of the new key.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GenerateKey`` generates a secret key, creating a new key object. The handle of new key is
+   returned.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_GenerateKey``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GenerateKey </en-US/NSC_GenerateKey>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst b/security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst
new file mode 100644
index 0000000000..75e2e166f7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst
@@ -0,0 +1,83 @@
+.. _mozilla_projects_nss_reference_fc_generatekeypair:
+
+FC_GenerateKeyPair
+==================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GenerateKeyPair - generate a new public/private key pair
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GenerateKeyPair(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+        CK_ULONG usPublicKeyAttributeCount,
+        CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+        CK_ULONG usPrivateKeyAttributeCount,
+        CK_OBJECT_HANDLE_PTR phPublicKey,
+        CK_OBJECT_HANDLE_PTR phPrivateKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] pointer to the mechanism to use.
+   ``pPublicKeyTemplate``
+      [in] pointer to the public key template.
+   ``usPublicKeyAttributeCount``
+      [in] number of attributes in the public key template.
+   ``pPrivateKeyTemplate``
+      [in] pointer to the private key template.
+   ``usPrivateKeyAttributeCount``
+      [in] number of attributes in the private key template.
+   ``phPublicKey``
+      [out] pointer to the location to receive the handle of the new public key.
+   ``phPrivateKey``
+      [out] pointer to the location to receive the handle of the new private key.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GenerateKeyPair`` generates a public/private key pair, creating new key objects. The handles
+   of new keys are returned.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_GenerateKeyPair``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GenerateKeyPair </en-US/NSC_GenerateKeyPair>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst b/security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst
new file mode 100644
index 0000000000..156ad25dca
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst
@@ -0,0 +1,67 @@
+.. _mozilla_projects_nss_reference_fc_generaterandom:
+
+FC_GenerateRandom
+=================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GenerateRandom - generate a random number.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GenerateRandom(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pRandomData,
+        CK_ULONG ulRandomLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pRandomData``
+      [out] pointer to the location to receive the random data.
+   ``ulRandomLen``
+      [in] length of the buffer in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GenerateRandom`` generates random data of the specified length.
+
+   A user may call ``FC_GenerateRandom`` without logging into the token (to assume the NSS User
+   role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GenerateRandom </en-US/NSC_GenerateRandom>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst b/security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst
new file mode 100644
index 0000000000..79471b5b1a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_getattributevalue:
+
+FC_GetAttributeValue
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetAttributeValue - get the value of attributes of an object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetAttributeValue(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hObject,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hObject``
+      [in] object handle.
+   ``pTemplate``
+      [in, out] pointer to template.
+   ``usCount``
+      [in] number of attributes in the template.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetAttributeValue`` gets the value of one or more attributes of an object.
+
+   A user must log into the token (to assume the NSS User role) before getting the attribute values
+   of a secret or private key object.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetAttributeValue </en-US/NSC_GetAttributeValue>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst b/security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst
new file mode 100644
index 0000000000..d2b44ebc1f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst
@@ -0,0 +1,79 @@
+.. _mozilla_projects_nss_reference_fc_getfunctionlist:
+
+FC_GetFunctionList
+==================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetFunctionList - get a pointer to the list of function pointers in the FIPS mode of
+   operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *ppFunctionList);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetFunctionList`` has one parameter:
+
+   ``ppFunctionList``
+      [Output] The address of a variable that will receive a pointer to the list of function
+      pointers.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetFunctionList`` stores in ``*ppFunctionList`` a pointer to the
+   :ref:`mozilla_projects_nss_reference_nss_cryptographic_module`'s list of function pointers in the
+   :ref:`mozilla_projects_nss_reference_nss_cryptographic_module_fips_mode_of_operation`.
+
+   A user may call ``FC_GetFunctionList`` without logging into the token (to assume the NSS User
+   role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetFunctionList`` always returns ``CKR_OK``.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      #include <assert.h>
+
+      CK_FUNCTION_LIST_PTR pFunctionList;
+      CK_RV crv;
+
+      crv = FC_GetFunctionList(&pFunctionList);
+      assert(crv == CKR_OK);
+
+      /* invoke the FC_XXX function as pFunctionList->C_XXX */
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetFunctionList </en-US/NSC_GetFunctionList>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst b/security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst
new file mode 100644
index 0000000000..468e398dd7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst
@@ -0,0 +1,60 @@
+.. _mozilla_projects_nss_reference_fc_getfunctionstatus:
+
+FC_GetFunctionStatus
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetFunctionStatus - get the status of a function running in parallel
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetFunctionStatus(
+        CK_SESSION_HANDLE hSession
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetFunctionStatus`` is a legacy function that simply returns ``CKR_FUNCTION_NOT_PARALLEL``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetFunctionStatus`` always returns ``CKR_FUNCTION_NOT_PARALLEL``.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetFunctionStatus </en-US/NSC_GetFunctionStatus>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst b/security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst
new file mode 100644
index 0000000000..1b73f25082
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst
@@ -0,0 +1,110 @@
+.. _mozilla_projects_nss_reference_fc_getinfo:
+
+FC_GetInfo
+==========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetInfo - return general information about the PKCS #11 library.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV  FC_GetInfo(CK_INFO_PTR pInfo);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetInfo`` has one parameter:
+
+   ``pInfo``
+      points to a `CK_INFO </en-US/CK_INFO>`__ structure
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetInfo`` returns general information about the PKCS #11 library. On return, the ``CK_INFO``
+   structure that ``pInfo`` points to has the following information:
+
+   -  ``cryptokiVersion``: PKCS #11 interface version number implemented by the PKCS #11 library.
+      The version is 2.20 (``major=0x02, minor=0x14``).
+   -  ``manufacturerID``: the PKCS #11 library manufacturer, "Mozilla Foundation", padded with
+      spaces to 32 characters and not null-terminated.
+   -  ``flags``: should be 0.
+   -  ``libraryDescription``: description of the library, "NSS Internal Crypto Services", padded
+      with spaces to 32 characters and not null-terminated.
+   -  ``libraryVersion``: PKCS #11 library version number, for example, 3.11
+      (``major=0x03, minor=0x0b``).
+
+   A user may call ``FC_GetInfo`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetInfo`` always returns ``CKR_OK``.
+
+   .. note::
+
+      ``FC_GetInfo`` should return ``CKR_ARGUMENTS_BAD`` if ``pInfo`` is ``NULL``.
+
+      ``FC_GetInfo`` should return ``CKR_CRYPTOKI_NOT_INITIALIZED`` if the library is not
+      initialized.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Note the use of the ``%.32s`` format string to print the ``manufacturerID`` and
+   ``libraryDescription`` members of the ``CK_INFO`` structure.
+
+   .. code::
+
+      #include <assert.h>
+      #include <stdio.h>
+
+      CK_FUNCTION_LIST_PTR pFunctionList;
+      CK_RV crv;
+      CK_INFO info;
+
+      crv = FC_GetFunctionList(&pFunctionList);
+      assert(crv == CKR_OK);
+
+      ...
+
+      /* invoke FC_GetInfo as pFunctionList->C_GetInfo */
+      crv = pFunctionList->C_GetInfo(&info);
+      assert(crv == CKR_OK);
+      printf("General information about the PKCS #11 library:\n");
+      printf("    PKCS #11 version: %d.%d\n",
+          (int)info.cryptokiVersion.major, (int)info.cryptokiVersion.minor);
+      printf("    manufacturer ID: %.32s\n", info.manufacturerID);
+      printf("    flags: 0x%08lx\n", info.flags);
+      printf("    library description: %.32s\n", info.libraryDescription);
+      printf("    library version: %d.%d\n",
+          (int)info.libraryVersion.major, (int)info.libraryVersion.minor);
+      printf("\n");
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetInfo </en-US/NSC_GetInfo>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst b/security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst
new file mode 100644
index 0000000000..559179c309
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst
@@ -0,0 +1,72 @@
+.. _mozilla_projects_nss_reference_fc_getmechanisminfo:
+
+FC_GetMechanismInfo
+===================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetMechanismInfo - get information on a particular mechanism.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetMechanismInfo(
+        CK_SLOT_ID slotID,
+        CK_MECHANISM_TYPE type,
+        CK_MECHANISM_INFO_PTR pInfo
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetMechanismInfo`` takes three parameters:
+
+   ``slotID``
+      [Input]
+   ``type``
+      [Input] .
+   ``pInfo``
+      [Output] .
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetMechanismInfo`` obtains information about a particular mechanism possibly supported by a
+   token.
+
+   A user may call ``FC_GetMechanismInfo`` without logging into the token (to assume the NSS User
+   role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetMechanismInfo </en-US/NSC_GetMechanismInfo>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst b/security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst
new file mode 100644
index 0000000000..11003f9831
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_getmechanismlist:
+
+FC_GetMechanismList
+===================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetMechanismList - get a list of mechanism types supported by a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetMechanismList(
+        CK_SLOT_ID slotID,
+        CK_MECHANISM_TYPE_PTR pMechanismList,
+        CK_ULONG_PTR pusCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetMechanismList`` takes three parameters:
+
+   ``slotID``
+      [Input]
+   ``pInfo``
+      [Output] The address of a variable that will receive a pointer to the list of function
+      pointers.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetMechanismList`` obtains a list of mechanism types supported by a token.
+
+   A user may call ``FC_GetMechanismList`` without logging into the token (to assume the NSS User
+   role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetMechanismList </en-US/NSC_GetMechanismList>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst b/security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst
new file mode 100644
index 0000000000..c2bf40cc51
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst
@@ -0,0 +1,67 @@
+.. _mozilla_projects_nss_reference_fc_getobjectsize:
+
+FC_GetObjectSize
+================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetObjectSize - create a copy of an object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetObjectSize(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hObject,
+        CK_ULONG_PTR pusSize
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hObject``
+      [in] object handle.
+   ``pusSize``
+      [out] pointer to location to receive the object's size.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetObjectSize`` gets the size of an object in bytes.
+
+   A user must log into the token (to assume the NSS User role) before getting the size of a secret
+   or private key object.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetObjectSize </en-US/NSC_GetObjectSize>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst b/security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst
new file mode 100644
index 0000000000..1ec38bd7de
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_reference_fc_getoperationstate:
+
+FC_GetOperationState
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetOperationState - get the cryptographic operation state of a session.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetOperationState(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR  pOperationState,
+        CK_ULONG_PTR pulOperationStateLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] handle of the open session.
+   ``pOperationState``
+      [out] pointer to a byte array of a length sufficient for containing the operation state or
+      NULL.
+   ``pulOperationStateLen``
+      [out] pointer to `CK_ULONG </en-US/CK_ULONG>`__ which receives the total length (in bytes) of
+      the operation state.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetOperationState`` saves the state of the cryptographic operation in a session. This
+   function only works for digest operations for now. Therefore, a user may call
+   ``FC_GetOperationState`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_setoperationstate`,
+      `NSC_GetOperationState </en-US/NSC_GetOperationState>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst b/security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst
new file mode 100644
index 0000000000..358c06eba9
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_reference_fc_getsessioninfo:
+
+FC_GetSessionInfo
+=================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetSessionInfo - obtain information about a session.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetSessionInfo(
+        CK_SESSION_HANDLE hSession,
+        CK_SESSION_INFO_PTR pInfo
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] the open session handle.
+   ``pInfo``
+      [out] pointer to the `CK_SESSION_INFO </en-US/CK_SESSION_INFO>`__ structure to be returned.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetSessionInfo`` obtains information about a session. A user may call ``FC_GetSessionInfo``
+   without logging into the token (to assume the NSS User role).
+
+   If the NSS cryptographic module is in the error state, ``FC_GetSessionInfo`` returns
+   ``CKR_DEVICE_ERROR``. Otherwise, it fills in the ``CK_SESSION_INFO`` structure with the following
+   information:
+
+   -  ``state``: the state of the session, i.e., no role is assumed, the User role is assumed, or
+      the Crypto Officer role is assumed
+   -  ``flags``: bit flags that define the type of session
+
+      -  ``CKF_RW_SESSION (0x00000002)``: true if the session is read/write; false if the session is
+         read-only.
+      -  ``CKF_SERIAL_SESSION (0x00000004)``: this flag is provided for backward compatibility and
+         is always set to true.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_closesession`,
+      `NSC_OpenSession </en-US/NSC_OpenSession>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst b/security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst
new file mode 100644
index 0000000000..09877920a4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst
@@ -0,0 +1,71 @@
+.. _mozilla_projects_nss_reference_fc_getslotinfo:
+
+FC_GetSlotInfo
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetSlotInfo - get information about a particular slot in the system.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetSlotInfo(
+        CK_SLOT_ID slotID,
+        CK_SLOT_INFO_PTR pInfo
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetSlotInfo`` takes two parameters:
+
+   ``slotID``
+      [in]
+   ``pInfo``
+      [out] The address of a ``CK_SLOT_INFO`` structure.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetSlotInfo`` stores the information about the slot in the ``CK_SLOT_INFO`` structure that
+   ``pInfo`` points to.
+
+   A user may call ``FC_GetSlotInfo`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+      Slot information was successfully copied.
+   ``CKR_SLOT_ID_INVALID``
+      The specified slot number is out of the defined range of values.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetSlotInfo </en-US/NSC_GetSlotInfo>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst b/security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst
new file mode 100644
index 0000000000..a655ae24a6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_reference_fc_getslotlist:
+
+FC_GetSlotList
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetSlotList - Obtain a list of slots in the system.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetSlotList(
+        CK_BBOOL tokenPresent,
+        CK_SLOT_ID_PTR pSlotList,
+        CK_ULONG_PTR pulCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``tokenPresent``
+      [in] If true only slots with a token present are included in the list, otherwise all slots are
+      included.
+   ``pSlotList``
+      [out] Either null or a pointer to an existing array of ``CK_SLOT_ID`` objects.
+   ``pulCount``
+      [out] Pointer to a ``CK_ULONG`` variable which receives the slot count.;
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetSlotList`` obtains a list of slots in the system.
+
+   A user may call ``FC_GetSlotList`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_GetSlotList </en-US/NSC_GetSlotList>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst b/security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst
new file mode 100644
index 0000000000..7b5a5b8db7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst
@@ -0,0 +1,106 @@
+.. _mozilla_projects_nss_reference_fc_gettokeninfo:
+
+FC_GetTokenInfo
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_GetTokenInfo - obtain information about a particular token in the system.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetTokenInfo`` has two parameters:
+
+   ``slotID``
+      the ID of the token's slot
+   ``pInfo``
+      points to a `CK_TOKEN_INFO </en-US/CK_TOKEN_INFO>`__ structure
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_GetTokenInfo`` returns information about the token in the specified slot. On return, the
+   ``CK_TOKEN_INFO`` structure that ``pInfo`` points to has the following information:
+
+   -  ``label``: the label of the token, assigned during token initialization, padded with spaces to
+      32 bytes and not null-terminated.
+   -  ``manufacturerID``: ID of the device manufacturer, "Mozilla Foundation", padded with spaces to
+      32 characters and not null-terminated.
+   -  ``model``: model of the device, "NSS 3", padded with spaces to 16 characters and not
+      null-terminated.
+   -  ``serialNumber``: the device's serial number as a string, "0000000000000000", 16 characters
+      and not null-terminated.
+   -  ``flags``: bit flags indicating capabilities and status of the device.
+
+      -  ``CKF_RNG (0x00000001)``: this device has a random number generator
+      -  ``CKF_WRITE_PROTECTED (0x00000002)``: this device is read-only
+      -  ``CKF_LOGIN_REQUIRED (0x00000004)``: this device requires the user to log in to use some of
+         its services
+      -  ``CKF_USER_PIN_INITIALIZED (0x00000008)``: the user's password has been initialized
+      -  ``CKF_DUAL_CRYPTO_OPERATIONS (0x00000200)``: a single session with the token can perform
+         dual cryptographic operations
+      -  ``CKF_TOKEN_INITIALIZED (0x00000400)``: the token has been initialized. If login is
+         required (which is true for the FIPS mode of operation), this flag means the user's
+         password has been initialized.
+
+   -  ``ulSessionCount``: number of sessions that this application currently has open with the token
+   -  ``ulRwSessionCount``: number of read/write sessions that this application currently has open
+      with the token
+   -  ``hardwareVersion``: hardware version number, for example, 8.3 (``major=0x08, minor=0x03``),
+      which are the version numbers of the certificate and key databases, respectively.
+   -  ``firmwareVersion``: firmware version number, 0.0 (``major=0x00, minor=0x00``).
+
+   A user may call ``FC_GetTokenInfo`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+      Token information was successfully copied.
+   ``CKR_CRYPTOKI_NOT_INITIALIZED``
+      The PKCS #11 module library is not initialized.
+   ``CKR_SLOT_ID_INVALID``
+      The specified slot number is out of the defined range of values.
+
+   .. note::
+
+      FC_GetTokenInfo should return CKR_ARGUMENTS_BAD if pInfo is NULL.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Note the use of the ``%.32s`` format string to print the ``label`` and ``manufacturerID`` members
+   of the ``CK_TOKEN_INFO`` structure.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_getslotinfo`,
+      `NSC_GetTokenInfo </en-US/NSC_GetTokenInfo>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_initialize/index.rst b/security/nss/doc/rst/legacy/reference/fc_initialize/index.rst
new file mode 100644
index 0000000000..5cc8d2f3f8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_initialize/index.rst
@@ -0,0 +1,131 @@
+.. _mozilla_projects_nss_reference_fc_initialize:
+
+FC_Initialize
+=============
+
+.. _name:
+
+`Summary <#name>`__
+-------------------
+
+.. container::
+
+   FC_Initialize - initialize the PKCS #11 library.
+
+`Syntax <#syntax>`__
+--------------------
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Initialize(CK_VOID_PTR pInitArgs);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``pInitArgs``
+      Points to a ``CK_C_INITIALIZE_ARGS`` structure.
+
+`Description <#description>`__
+------------------------------
+
+.. container::
+
+   ``FC_Initialize`` initializes the :ref:`mozilla_projects_nss_reference_nss_cryptographic_module`
+   for the :ref:`mozilla_projects_nss_reference_nss_cryptographic_module_fips_mode_of_operation`. In
+   addition to creating the internal data structures, it performs the FIPS software integrity test
+   and power-up self-tests.
+
+   The ``pInitArgs`` argument must point to a ``CK_C_INITIALIZE_ARGS`` structure whose members
+   should have the following values:
+
+   -  ``CreateMutex`` should be ``NULL``.
+   -  ``DestroyMutex`` should be ``NULL``.
+   -  ``LockMutex`` should be ``NULL``.
+   -  ``UnlockMutex`` should be ``NULL``.
+   -  ``flags`` should be ``CKF_OS_LOCKING_OK``.
+   -  ``LibraryParameters`` should point to a string that contains the library parameters.
+   -  ``pReserved`` should be ``NULL``.
+
+   The library parameters string has this format:
+
+   .. code::
+
+      "configdir='dir' certPrefix='prefix1' keyPrefix='prefix2' secmod='file' flags= "
+
+   Here are some examples.
+
+   ``NSS_NoDB_Init("")``, which initializes NSS with no databases:
+
+   .. code::
+
+       "configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noMod
+      DB,forceOpen,optimizeSpace "
+
+   Mozilla Firefox initializes NSS with this string (on Windows):
+
+   .. code::
+
+       "configdir='C:\\Documents and Settings\\wtc\\Application Data\\Mozilla\\Firefox\\Profiles\\default.7tt' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace  manufacturerID='Mozilla.org' libraryDescription='PSM Internal Crypto Services' cryptoTokenDescription='Generic Crypto Services' dbTokenDescription='Software Security Device' cryptoSlotDescription='PSM Internal Cryptographic Services' dbSlotDescription='PSM Private Keys' FIPSSlotDescription='PSM Internal FIPS-140-1 Cryptographic Services' FIPSTokenDescription='PSM FIPS-140-1 User Private Key Services' minPS=0"
+
+   See :ref:`mozilla_projects_nss_pkcs11_module_specs` for complete documentation of the library
+   parameters string.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Initialize`` returns the following return codes.
+
+   -  ``CKR_OK``: library initialization succeeded.
+   -  ``CKR_ARGUMENTS_BAD``
+
+      -  ``pInitArgs`` is ``NULL``.
+      -  ``pInitArgs->LibraryParameters`` is ``NULL``.
+      -  only some of the lock functions were provided by the application.
+
+   -  ``CKR_CANT_LOCK``: the ``CKF_OS_LOCKING_OK`` flag is not set in ``pInitArgs->flags``. The NSS
+      cryptographic module always uses OS locking and doesn't know how to use the lock functions
+      provided by the application.
+   -  ``CKR_CRYPTOKI_ALREADY_INITIALIZED``: the library is already initialized.
+   -  ``CKR_DEVICE_ERROR``
+
+      -  We failed to create the OID tables, random number generator, or internal locks. (Note: we
+         probably should return ``CKR_HOST_MEMORY`` instead.)
+      -  The software integrity test or power-up self-tests failed. The NSS cryptographic module is
+         in a fatal error state.
+
+   -  ``CKR_HOST_MEMORY``: we ran out of memory.
+
+`Examples <#examples>`__
+------------------------
+
+.. container::
+
+   .. code::
+
+      #include <assert.h>
+
+      CK_FUNCTION_LIST_PTR pFunctionList;
+      CK_RV crv;
+      CK_C_INITIALIZE_ARGS initArgs;
+
+      crv = FC_GetFunctionList(&pFunctionList);
+      assert(crv == CKR_OK);
+
+      initArgs.CreateMutex = NULL;
+      initArgs.DestroyMutex = NULL;
+      initArgs.LockMutex = NULL;
+      initArgs.UnlockMutex = NULL;
+      initArgs.flags = CKF_OS_LOCKING_OK;
+      initArgs.LibraryParameters = "...";
+      initArgs.pReserved = NULL;
+
+      /* invoke FC_Initialize as pFunctionList->C_Initialize */
+      crv = pFunctionList->C_Initialize(&initArgs);
diff --git a/security/nss/doc/rst/legacy/reference/fc_initpin/index.rst b/security/nss/doc/rst/legacy/reference/fc_initpin/index.rst
new file mode 100644
index 0000000000..fc083b9e0a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_initpin/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_reference_fc_initpin:
+
+FC_InitPIN
+==========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitPIN()`` - Initialize the user's PIN.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_InitPIN(
+        CK_SESSION_HANDLE hSession,
+        CK_CHAR_PTR pPin,
+        CK_ULONG ulPinLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitPIN()`` takes three parameters:
+
+   ``hSession``
+      [Input] Session handle.
+   ``pPin``
+      [Input] Pointer to the PIN being set.
+   ``ulPinLen``
+      [Input] Length of the PIN.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitPIN()`` initializes the normal user's PIN.
+
+   ``FC_InitPIN()`` must be called when the PKCS #11 Security Officer (SO) is logged into the token
+   and the session is read/write, that is, the session must be in the "R/W SO Functions" state
+   (``CKS_RW_SO_FUNCTIONS``). The role of the PKCS #11 SO is to initialize a token and to initialize
+   the normal user's PIN. In the NSS cryptographic module, one uses the empty string password ("")
+   to log in as the PKCS #11 SO. The module only allows the PKCS #11 SO to log in if the normal
+   user's PIN has not yet been set or has been reset.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitPIN()`` returns the following return codes.
+
+   -  ``CKR_OK``: normal user's PIN initialization succeeded.
+   -  ``CKR_SESSION_HANDLE_INVALID``: the session handle is invalid.
+   -  ``CKR_USER_NOT_LOGGED_IN``: the session is not in the "R/W SO Functions" state.
+   -  ``CKR_PIN_INVALID``: the PIN has an invalid UTF-8 character.
+   -  ``CKR_PIN_LEN_RANGE``: the PIN is too short, too long, or too weak (doesn't have enough
+      character types).
+   -  ``CKR_DEVICE_ERROR``: normal user's PIN is already initialized.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_InitPIN </en-US/NSC_InitPIN>`__, :ref:`mozilla_projects_nss_reference_fc_setpin`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst b/security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst
new file mode 100644
index 0000000000..900e91c5e3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst
@@ -0,0 +1,110 @@
+.. _mozilla_projects_nss_reference_fc_inittoken:
+
+FC_InitToken
+============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitToken()`` - initialize or re-initialize a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_InitToken(
+        CK_SLOT_ID slotID,
+        CK_CHAR_PTR pPin,
+        CK_ULONG ulPinLen,
+        CK_CHAR_PTR pLabel
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitToken()`` has the following parameters:
+
+   ``slotID``
+      the ID of the token's slot
+   ``pPin``
+      the password of the security officer (SO)
+   ``ulPinLen``
+      the length in bytes of the SO password
+   ``pLabel``
+      points to the label of the token, which must be padded with spaces to 32 bytes and not be
+      null-terminated
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitToken()`` initializes a brand new token or re-initializes a token that was initialized
+   before.
+
+   Specifically, ``FC_InitToken()`` initializes or clears the key database, removes the password,
+   and then marks all the *user certs* in the certificate database as *non-user certs*. (User certs
+   are the certificates that have their associated private keys in the key database.)
+
+   A user must be able to call ``FC_InitToken()`` without logging into the token (to assume the NSS
+   User role) because either the user's password hasn't been set yet or the user forgets the
+   password and needs to blow away the password-encrypted private key database and start over.
+
+   .. note::
+
+      **Note:** The SO password should be the empty string, i.e., ``ulPinLen`` argument should be 0.
+      ``FC_InitToken()`` ignores the ``pLabel`` argument.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitToken()`` returns the following return codes.
+
+   -  ``CKR_OK``: token initialization succeeded.
+   -  ``CKR_SLOT_ID_INVALID``: slot ID is invalid.
+   -  ``CKR_TOKEN_WRITE_PROTECTED``
+
+      -  we don't have a reference to the key database (we failed to open the key database or we
+         have released our reference).
+
+   -  ``CKR_DEVICE_ERROR``: failed to reset the key database.
+
+.. _application_usage:
+
+`Application usage <#application_usage>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_InitToken()`` is used to reset the password for the key database when the user forgets the
+   password.
+
+   -  The "Reset Password" button of the Mozilla Application Suite and SeaMonkey (in
+      Preferences->Privacy & Security->Master Passwords) calls ``FC_InitToken()``.
+   -  The "-T" (token reset) command of ``certutil`` calls ``FC_InitToken()``.
+
+   .. note::
+
+      **Note:** Resetting the password clears all permanent secret and private keys. You won't be
+      able to decrypt the data, such as Mozilla's stored passwords, that were encrypted using any of
+      those keys.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_initpin`, `NSC_InitToken </en-US/NSC_InitToken>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_login/index.rst b/security/nss/doc/rst/legacy/reference/fc_login/index.rst
new file mode 100644
index 0000000000..2a429ab6ba
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_login/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_reference_fc_login:
+
+FC_Login
+========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Login()`` - log a user into a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Login(
+        CK_SESSION_HANDLE hSession,
+        CK_USER_TYPE userType,
+        CK_CHAR_PTR pPin,
+        CK_ULONG ulPinLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Login()`` takes four parameters:
+
+   ``hSession``
+      [in] a session handle
+   ``userType``
+      [in] the user type (``CKU_SO`` or ``CKU_USER``)
+   ``pPin``
+      [in] a pointer that points to the user's PIN
+   ``ulPinLen``
+      [in] the length of the PIN
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Login()`` logs a user into a token.
+
+   The Security Officer (``CKU_SO``) only logs in to initialize the normal user's PIN. The SO PIN is
+   the empty string. The NSS cryptographic module doesn't allow the SO to log in if the normal
+   user's PIN is already initialized.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Login()`` returns the following return codes.
+
+   -  ``CKR_OK``: the user logged in successfully.
+   -  ``CKR_DEVICE_ERROR``: the token is in the Error state.
+   -  ``CKR_HOST_MEMORY``: memory allocation failed.
+   -  ``CKR_PIN_INCORRECT``: the PIN is incorrect.
+   -  ``CKR_PIN_LEN_RANGE``: the PIN is too long (``ulPinLen`` is greater than 255).
+
+      .. note::
+
+         The function should return ``CKR_PIN_INCORRECT`` in this case.
+
+   -  ``CKR_SESSION_HANDLE_INVALID``: the session handle is invalid.
+   -  ``CKR_USER_ALREADY_LOGGED_IN``: the user is already logged in.
+   -  ``CKR_USER_TYPE_INVALID``
+
+      -  The token can't authenticate the user because there is no key database or the user's
+         password isn't initialized.
+      -  ``userType`` is ``CKU_SO`` and the normal user's PIN is already initialized.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_Login </en-US/NSC_Login>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_logout/index.rst b/security/nss/doc/rst/legacy/reference/fc_logout/index.rst
new file mode 100644
index 0000000000..2eaa2d065c
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_logout/index.rst
@@ -0,0 +1,58 @@
+.. _mozilla_projects_nss_reference_fc_logout:
+
+FC_Logout
+=========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Logout - log a user out from a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Logout(
+        CK_SESSION_HANDLE hSession
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Logs the current user out of a USER_FUNCTIONS session.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_closesession`, `NSC_Logout </en-US/NSC_Logout>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_opensession/index.rst b/security/nss/doc/rst/legacy/reference/fc_opensession/index.rst
new file mode 100644
index 0000000000..23c6927ed8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_opensession/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_reference_fc_opensession:
+
+FC_OpenSession
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_OpenSession - open a session between an application and a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_OpenSession(
+        CK_SLOT_ID slotID,
+        CK_FLAGS flags,
+        CK_VOID_PTR pApplication,
+        CK_NOTIFY Notify,
+        CK_SESSION_HANDLE_PTR phSession
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_OpenSession`` has the following parameters:
+
+   ``slotID``
+      [in] the ID of the token's slot.
+   ``flags``
+      [in]
+   ``pApplication``
+   ``Notify``
+      [in] pointer to a notification callback function. Not currently supported.
+   ``phSession``
+      [out] pointer to a session handle.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_OpenSession`` opens a session between an application and the token in the slot with the ID
+   ``slotID``.
+
+   The NSS cryptographic module currently doesn't call the surrender callback function ``Notify``.
+   (See PKCS #11 v2.20 section 11.17.1.)
+
+   A user may call ``FC_OpenSession`` without logging into the token (to assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_closesession`,
+      `NSC_OpenSession </en-US/NSC_OpenSession>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst b/security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst
new file mode 100644
index 0000000000..175dd8d2b7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_seedrandom:
+
+FC_SeedRandom
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SeedRandom()`` - mix additional seed material into the random number generator.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SeedRandom(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pSeed,
+        CK_ULONG usSeedLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pSeed``
+      [in] pointer to the seed material
+   ``usSeedLen``
+      [in] length of the seed material in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SeedRandom()`` mixes additional seed material into the token's random number generator. Note
+   that ``FC_SeedRandom()`` doesn't provide the initial seed material for the random number
+   generator. The initial seed material is provided by the NSS cryptographic module itself.
+
+   |
+   | A user may call ``FC_SeedRandom()`` without logging into the token (to assume the NSS User
+     role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SeedRandom </en-US/NSC_SeedRandom>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst b/security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst
new file mode 100644
index 0000000000..38da0d539a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_setattributevalue:
+
+FC_SetAttributeValue
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SetAttributeValue - set the values of attributes of an object.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SetAttributeValue(
+        CK_SESSION_HANDLE hSession,
+        CK_OBJECT_HANDLE hObject,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usCount
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``hObject``
+      [in] object handle.
+   ``pTemplate``
+      [in, out] pointer to template.
+   ``usCount``
+      [in] number of attributes in the template.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SetAttributeValue`` sets the value of one or more attributes of an object.
+
+   A user must log into the token before setting the attribute values of a secret or private key
+   object.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SetAttributeValue </en-US/NSC_SetAttributeValue>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst b/security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst
new file mode 100644
index 0000000000..c45b254892
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst
@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_reference_fc_setoperationstate:
+
+FC_SetOperationState
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SetOperationState - restore the cryptographic operation state of a session.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SetOperationState(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pOperationState,
+        CK_ULONG ulOperationStateLen,
+        CK_OBJECT_HANDLE hEncryptionKey,
+        CK_OBJECT_HANDLE hAuthenticationKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] handle of the open session.
+   ``pOperationState``
+      [in] pointer to a byte array containing the operation state.
+   ``ulOperationStateLen``
+      [in] contains the total length (in bytes) of the operation state.
+   ``hEncryptionKey``
+      [in] handle of the encryption or decryption key to be used in a stored session or zero if no
+      key is needed.
+   ``hAuthenticationKey``
+      [in] handle of the authentication key to be used in the stored session or zero if none is
+      needed.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SetOperationState`` restores the cryptographic operations state of a session from an array
+   of bytes obtained with ``FC_GetOperationState``. This function only works for digest operations
+   for now. Therefore, a user may call ``FC_SetOperationState`` without logging into the token (to
+   assume the NSS User role).
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_getoperationstate`,
+      `NSC_SetOperationState </en-US/NSC_SetOperationState>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_setpin/index.rst b/security/nss/doc/rst/legacy/reference/fc_setpin/index.rst
new file mode 100644
index 0000000000..83ef6f17db
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_setpin/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_reference_fc_setpin:
+
+FC_SetPIN
+=========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SetPIN - Modify the user's PIN.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SetPIN(
+        CK_SESSION_HANDLE hSession,
+        CK_CHAR_PTR pOldPin,
+        CK_ULONG ulOldLen,
+        CK_CHAR_PTR pNewPin,
+        CK_ULONG ulNewLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SetPIN`` takes five parameters:
+
+   ``hSession``
+      [Input] the session's handle
+   ``pOldPin``
+      [Input] points to the old PIN.
+   ``ulOldLen``
+      [Input] the length in bytes of the old PIN.
+   ``pNewPin``
+      [Input] points to the new PIN.
+   ``ulNewLen``
+      [Input] the length in bytes of the new PIN.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SetPIN`` modifies the PIN of the user. The user must log into the token (to assume the NSS
+   User role) before calling ``FC_SetPIN``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK``
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SetPIN </en-US/NSC_SetPIN>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_sign/index.rst b/security/nss/doc/rst/legacy/reference/fc_sign/index.rst
new file mode 100644
index 0000000000..f1bc786587
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_sign/index.rst
@@ -0,0 +1,74 @@
+.. _mozilla_projects_nss_reference_fc_sign:
+
+FC_Sign
+=======
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Sign - sign a block of data.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Sign(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG usDataLen,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG_PTR pusSignatureLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pData``
+      [in] pointer to data block.
+   ``usDataLen``
+      [in] length of the data in bytes.
+   ``pSignature``
+      [out] pointer to location where recovered data is to be stored.
+   ``pusSignatureLen``
+      [in, out] pointer to the maximum size of the output buffer, replaced by the length of the
+      signature if the operation is successful.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Sign`` signs a message in a single operation according to the attributes of the previous
+   call to ``FC_SignInit``.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_Sign``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_signinit`, `NSC_Sign </en-US/NSC_Sign>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst
new file mode 100644
index 0000000000..5064bbfe3f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_reference_fc_signencryptupdate:
+
+FC_SignEncryptUpdate
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignEncryptUpdate - continue a multi-part signing and encryption operation
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignEncryptUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG ulPartLen,
+        CK_BYTE_PTR pEncryptedPart,
+        CK_ULONG_PTR pulEncryptedPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the data part.
+   ``ulPartLen``
+      [in] length of data in bytes.
+   ``pEncryptedPart``
+      [in] pointer to the location which receives the signed and encrypted data part or NULL.
+   ``pulEncryptedPartLen``
+      [in] pointer to the length of the encrypted part buffer.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignEncryptUpdate`` continues a multi-part signature and encryption operation. After calling
+   both ``FC_SignInit`` and ``FC_EncryptInit`` to set up the operations this function may be called
+   multiple times. The operation is finished by calls to ``FC_SignFinal`` and ``FC_EncryptFinal``.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_SignEncryptUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SignEncryptUpdate </en-US/NSC_SignEncryptUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst
new file mode 100644
index 0000000000..295ec3b47f
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_reference_fc_signfinal:
+
+FC_SignFinal
+============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignFinal - finish a multi-part signing operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignFinal(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG_PTR pusSignatureLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pSignature``
+      [out] pointer to the buffer which will receive the digest or NULL.
+   ``pusSignatureLen``
+      [in, out] pointer to location containing the maximum buffer size.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignFinal`` finishes a multi-part signing operation by returning the complete signature and
+   clearing the operation context. If ``pSignature`` is NULL the length of the signature is returned
+   and ``FC_SignFinal`` may be called again with ``pSignature`` set to retrieve the signature.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_SignFinal``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_signupdate`, `NSC_SignFinal </en-US/NSC_SignFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_signinit/index.rst
new file mode 100644
index 0000000000..0c6fc6ab67
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signinit/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_reference_fc_signinit:
+
+FC_SignInit
+===========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignInit - initialize a signing operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for the subsequent signing operation.
+   ``hKey``
+      [in] handle of the key to be used .
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignInit`` initializes a signature operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_SignInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SignInit </en-US/NSC_SignInit>`__ :ref:`mozilla_projects_nss_reference_fc_sign`
+      :ref:`mozilla_projects_nss_reference_fc_signupdate`
+      :ref:`mozilla_projects_nss_reference_fc_signfinal`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst b/security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst
new file mode 100644
index 0000000000..b20e4cd9cb
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_reference_fc_signrecover:
+
+FC_SignRecover
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignRecover - Sign data in a single recoverable operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignRecover(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG usDataLen,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG_PTR pusSignatureLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pData``
+      [in] mechanism to be used for the signing operation.
+   ``usDataLen``
+      [in] handle of the key to be usedn.
+   ``pSignature``
+      [out] pointer to the buffer or NULL.
+   ``pusSignatureLen``
+      [in, out] pointer to the size of the output buffer, replaced by the length of the signature if
+      the operation is successful.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignRecover`` signs data in a single operation where the (digest) data can be recovered from
+   the signature. If ``pSignature`` is NULL only the length of the signature is returned in
+   ``*pusSignatureLen``.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_SignRecover``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SignRecover </en-US/NSC_SignRecover>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst
new file mode 100644
index 0000000000..8fd7a9027a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_reference_fc_signrecoverinit:
+
+FC_SignRecoverInit
+==================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignRecoverInit - initialize a sign recover operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignRecoverInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for the signing operation.
+   ``hKey``
+      [in] handle of the key to be used.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignRecoverInit`` initializes a initializes a signature operation where the (digest) data
+   can be recovered from the signature.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_SignRecoverInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_SignRecoverInit </en-US/NSC_SignRecoverInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst
new file mode 100644
index 0000000000..08eedda2c6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst
@@ -0,0 +1,69 @@
+.. _mozilla_projects_nss_reference_fc_signupdate:
+
+FC_SignUpdate
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_SignUpdate - process the next block of a multi-part signing operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_SignUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG usPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the next block of the data to be signed.
+   ``usPartLen``
+      [in] length of data block in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_SignUpdate`` starts or continues a multi-part signature operation. One or more blocks may be
+   part of the signature. The signature for the entire message is returned by a call to
+   :ref:`mozilla_projects_nss_reference_fc_signfinal`.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_SignUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_signinit`,
+      :ref:`mozilla_projects_nss_reference_fc_signfinal`, `NSC_SignUpdate </en-US/NSC_SignUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst b/security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst
new file mode 100644
index 0000000000..afec622775
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst
@@ -0,0 +1,83 @@
+.. _mozilla_projects_nss_reference_fc_unwrapkey:
+
+FC_UnwrapKey
+============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_UnwrapKey - unwrap a key
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_UnwrapKey(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hUnwrappingKey,
+        CK_BYTE_PTR pWrappedKey,
+        CK_ULONG usWrappedKeyLen,
+        CK_ATTRIBUTE_PTR pTemplate,
+        CK_ULONG usAttributeCount,
+        CK_OBJECT_HANDLE_PTR phKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] pointer to the mechanism to use.
+   ``hUnwrappingKey``
+      [in] handle of the ket to use for unwrapping.
+   ``pWrappedKey``
+      [in] pointer to the wrapped key.
+   ``usWrappedKeyLen``
+      [in] length of the wrapped key.
+   ``pTemplate``
+      [in] pointer to the list of attributes for the unwrapped key.
+   ``usAttributeCount``
+      [in] number of attributes in the template.
+   ``phKey``
+      [out] pointer to the location to receive the handle of the unwrapped key.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_UnwrapKey`` unwraps (decrypts) a key and creates a new key opbject. If ``pWrappedKey`` is
+   NULL the length of the wrapped key is returned in ``pusWrappedKeyLen`` and FC_UnwrapKey may be
+   called again with ``pWrappedKey`` set to retrieve the wrapped key.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_UnwrapKey``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_UnwrapKey </en-US/NSC_UnwrapKey>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verify/index.rst b/security/nss/doc/rst/legacy/reference/fc_verify/index.rst
new file mode 100644
index 0000000000..23ee0c7615
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verify/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_reference_fc_verify:
+
+FC_Verify
+=========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_Verify - sign a block of data.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_Verify(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG usDataLen,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG usSignatureLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pData``
+      [in] pointer to data block.
+   ``usDataLen``
+      [in] length of the data in bytes.
+   ``pSignature``
+      [in] pointer to the signature.
+   ``usSignatureLen``
+      [in] length of the signature in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_Verify`` verifies a signature in a single-part operation, where the signature is an appendix
+   to the data.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_Verify``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``CKR_OK`` is returned on success. ``CKR_SIGNATURE_INVALID`` is returned for signature mismatch.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyinit`, `NSC_Verify </en-US/NSC_Verify>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst b/security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst
new file mode 100644
index 0000000000..0dcf1804ad
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst
@@ -0,0 +1,67 @@
+.. _mozilla_projects_nss_reference_fc_verifyfinal:
+
+FC_VerifyFinal
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_VerifyFinal - finish a multi-part verify operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_VerifyFinal(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG usSignatureLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pSignature``
+      [in] pointer to the buffer which will receive the digest or NULL.
+   ``usSignatureLen``
+      [in] length of the signature in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_VerifyFinal`` finishes a multi-part signature verification operation.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_VerifyFinal``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyupdate`,
+      `NSC_VerifyFinal </en-US/NSC_VerifyFinal>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst
new file mode 100644
index 0000000000..706d5a1ed9
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst
@@ -0,0 +1,67 @@
+.. _mozilla_projects_nss_reference_fc_verifyinit:
+
+FC_VerifyInit
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_VerifyInit - initialize a verification operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_VerifyInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for the verification operation.
+   ``hKey``
+      [in] handle of the key to be used.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_VerifyInit`` initializes a verification operation where the signature is an appendix to the
+   data.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_VerifyInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_VerifyInit </en-US/NSC_VerifyInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst b/security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst
new file mode 100644
index 0000000000..4615eac8af
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst
@@ -0,0 +1,75 @@
+.. _mozilla_projects_nss_reference_fc_verifyrecover:
+
+FC_VerifyRecover
+================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_VerifyRecover - Verify data in a single recoverable operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_VerifyRecover(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG usSignatureLen,
+        CK_BYTE_PTR pData,
+        CK_ULONG_PTR pusDataLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pSignature``
+      [in] mechanism to be used for the signing operation.
+   ``usSignatureLen``
+      [in] handle of the key to be usedn.
+   ``pData``
+      [out] pointer to the buffer or NULL.
+   ``pusDataLen``
+      [in, out] pointer to the size of the output buffer, replaced by the length of the signature if
+      the operation is successful.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_VerifyRecover`` verifies data in a single operation where the (digest) data can be recovered
+   from the signature. If ``pSignature`` is NULL only the length of the signature is returned in
+   ``*pusSignatureLen``.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_VerifyRecover``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_VerifyRecover </en-US/NSC_VerifyRecover>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst b/security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst
new file mode 100644
index 0000000000..aa17391253
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_reference_fc_verifyrecoverinit:
+
+FC_VerifyRecoverInit
+====================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_VerifyRecoverInit - initialize a verification operation where data is recoverable.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_VerifyRecoverInit(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hKey
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] mechanism to be used for verification.
+   ``hKey``
+      [in] handle of the key to be used.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_VerifyRecoverInit`` initializes a signature verification operation where the (digest) data
+   can be recovered from the signature.
+
+   A user must log into the token (to assume the NSS User role) before calling
+   ``FC_VerifyRecoverInit``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_VerifyRecoverInit </en-US/NSC_VerifyRecoverInit>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst b/security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst
new file mode 100644
index 0000000000..5cac472cb1
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst
@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_reference_fc_verifyupdate:
+
+FC_VerifyUpdate
+===============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_VerifyUpdate - process the next block of a multi-part verify operation.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_VerifyUpdate(
+        CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pPart,
+        CK_ULONG usPartLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pPart``
+      [in] pointer to the next block of the data to be verified.
+   ``usPartLen``
+      [in] length of data block in bytes.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_VerifyUpdate`` starts or continues a multi-part signature verification operation where the
+   signature is an appendix to the data. One or more blocks may be part of the signature. The result
+   for the entire message is returned by a call to
+   :ref:`mozilla_projects_nss_reference_fc_verifyfinal`.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_VerifyUpdate``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyfinal`,
+      `NSC_VerifyUpdate </en-US/NSC_VerifyUpdate>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst b/security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst
new file mode 100644
index 0000000000..08faff6974
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst
@@ -0,0 +1,61 @@
+.. _mozilla_projects_nss_reference_fc_waitforslotevent:
+
+FC_WaitForSlotEvent
+===================
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_WaitForSlotEvent - waits for a slot event, such as token insertion or token removal, to occur.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot CK_VOID_PTR pReserved);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_WaitForSlotEvent`` takes three parameters:
+
+   ``flags``
+   ``pSlot``.
+   ``pReserved``.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   This function is not supported by the NSS cryptographic module.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_WaitForSlotEvent`` always returns ``CKR_FUNCTION_NOT_SUPPORTED``.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_waitforslotevent`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst b/security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst
new file mode 100644
index 0000000000..6837c6f5ef
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst
@@ -0,0 +1,77 @@
+.. _mozilla_projects_nss_reference_fc_wrapkey:
+
+FC_WrapKey
+==========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   FC_WrapKey - wrap a key
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV FC_WrapKey(
+        CK_SESSION_HANDLE hSession,
+        CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hWrappingKey,
+        CK_OBJECT_HANDLE hKey,
+        CK_BYTE_PTR pWrappedKey,
+        CK_ULONG_PTR pusWrappedKeyLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``hSession``
+      [in] session handle.
+   ``pMechanism``
+      [in] pointer to the mechanism to use.
+   ``hWrappingKey``
+      [in] pointer to the public key template.
+   ``hKey``
+      [in] number of attributes in the public key template.
+   ``pWrappedKey``
+      [out] pointer to the location to receive the wrapped key or NULL.
+   ``pusWrappedKeyLen``
+      [in, out] pointer to length of wrapped key buffer.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``FC_WrapKey`` wraps (encrypts) a key. If ``pWrappedKey`` is NULL the length of the wrapped key
+   is returned in ``pusWrappedKeyLen`` and FC_WrapKey may be called again with ``pWrappedKey`` set
+   to retrieve the wrapped key.
+
+   A user must log into the token (to assume the NSS User role) before calling ``FC_WrapKey``.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_WrapKey </en-US/NSC_WrapKey>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/index.rst b/security/nss/doc/rst/legacy/reference/index.rst
new file mode 100644
index 0000000000..a5cbc957a7
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/index.rst
@@ -0,0 +1,340 @@
+.. _mozilla_projects_nss_reference:
+
+NSS reference
+=============
+
+.. _initial_notes:
+
+`Initial Notes <#initial_notes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. container:: notecard note
+
+      -  We are migrating the :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference` into the
+         format described in the `MDN Style
+         Guide <https://developer.mozilla.org/en-US/docs/MDN/Guidelines>`__. If you are inclined to
+         help with this migration, your help would be very much appreciated.
+
+      -  The proposed chapters below are based on the chapters of the
+         :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference` and the categories of functions
+         in :ref:`mozilla_projects_nss_reference_nss_functions`.
+
+      -  Should a particular page require the use of an underscore, please see the documentation for
+         the `Title Override Extension </Project:En/MDC_style_guide#Title_Override_Extension>`__.
+
+.. _building_and_installing_nss:
+
+`Building and installing NSS <#building_and_installing_nss>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   :ref:`mozilla_projects_nss_reference_building_and_installing_nss`
+
+.. _overview_of_an_nss_application:
+
+`Overview of an NSS application <#overview_of_an_nss_application>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_sslintro` in the SSL Reference.
+
+.. _getting_started_with_nss:
+
+`Getting started with NSS <#getting_started_with_nss>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_gtstd` in the SSL Reference.
+
+.. _data_types:
+
+`Data types <#data_types>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_ssltyp` in the SSL Reference.
+
+.. _nss_initialization_and_shutdown:
+
+`NSS initialization and shutdown <#nss_initialization_and_shutdown>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  NSS_Init
+   -  NSS_InitReadWrite
+   -  NSS_NoDB_Init
+   -  :ref:`mozilla_projects_nss_reference_nss_initialize`
+   -  NSS_Shutdown
+
+.. _utility_functions:
+
+`Utility functions <#utility_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_reference_nss_functions#utility_functions` in NSS Public
+   Functions.
+
+.. _certificate_functions:
+
+`Certificate functions <#certificate_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_sslcrt` in the SSL Reference and
+   :ref:`mozilla_projects_nss_reference_nss_functions#certificate_functions` in NSS Public
+   Functions.
+
+   -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#validating_certificates`
+
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_verifycertnow`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_verifycert`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_verifycertname`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_checkcertvalidtimes`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#nss_cmpcertchainwcanames`
+
+   -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#manipulating_certificates`
+
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_dupcertificate`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_destroycertificate`
+      -  SEC_DeletePermCertificate
+      -  \__CERT_ClosePermCertDB
+
+   -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#getting_certificate_information`
+
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_findcertbyname`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_getcertnicknames`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_freenicknames`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#cert_getdefaultcertdb`
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#nss_findcertkeatype`
+
+   -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#comparing_secitem_objects`
+
+      -  :ref:`mozilla_projects_nss_reference_nss_certificate_functions#secitem_compareitem`
+
+.. _key_functions:
+
+`Key functions <#key_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   :ref:`mozilla_projects_nss_reference_nss_key_functions`
+
+   -  :ref:`mozilla_projects_nss_ssl_functions_sslkey#seckey_getdefaultkeydb`
+   -  :ref:`mozilla_projects_nss_ssl_functions_sslkey#seckey_destroyprivatekey`
+
+.. _digital_signatures:
+
+`Digital signatures <#digital_signatures>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   This API consists of the routines used to perform signature generation and the routines used to
+   perform signature verification.
+
+.. _encryption.2fdecryption:
+
+`Encryption/decryption <#encryption.2fdecryption>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+`Hashing <#hashing>`__
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _key_generation:
+
+`Key generation <#key_generation>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Generate keys, key pairs, and domain parameters.
+
+.. _random_number_generation:
+
+`Random number generation <#random_number_generation>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   This API consists of the two routines used for pseudorandom number generation --
+   PK11_GenerateRandomOnSlot and PK11_GenerateRandom -- and the two routines used for seeding
+   pseudorandom number generation -- PK11_SeedRandom and PK11_RandomUpdate.
+
+.. _pkcs_.2311_functions:
+
+`PKCS #11 functions <#pkcs_.2311_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_pkfnc` in the SSL Reference and
+   :ref:`mozilla_projects_nss_reference_nss_functions#cryptography_functions` in NSS Public
+   Functions.
+
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#secmod_loadusermodule`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#secmod_unloadusermodule`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#secmod_closeuserdb`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#secmod_openuserdb`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_findcertfromnickname`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_findkeybyanycert`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_getslotname`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_gettokenname`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_ishw`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_ispresent`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_isreadonly`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions#pk11_setpasswordfunc`
+
+.. _ssl_functions:
+
+`SSL Functions <#ssl_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_sslfnc` in the SSL Reference and
+   :ref:`mozilla_projects_nss_reference_nss_functions#ssl_functions` and
+   :ref:`mozilla_projects_nss_reference_nss_functions#deprecated_ssl_functions` in NSS Public
+   Functions.
+
+   -  SSL_ConfigServerSessionIDCache
+   -  SSL_ClearSessionCache
+
+.. _s.2fmime:
+
+`S/MIME <#s.2fmime>`__
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on the `S/MIME
+   Reference <https://www-archive.mozilla.org/projects/security/pki/nss/ref/smime/>`__ (which only
+   has one written chapter) and
+   :ref:`mozilla_projects_nss_reference_nss_functions#s_2fmime_functions` in NSS Public Functions.
+
+.. _pkcs_.237_functions:
+
+`PKCS #7 functions <#pkcs_.237_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on `"Archived PKCS #7 Functions
+   documentation." <https://www-archive.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html#pkcs7>`__
+
+.. _pkcs_.235_functions:
+
+`PKCS #5 functions <#pkcs_.235_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Password-based encryption
+
+   -  SEC_PKCS5GetIV
+   -  SEC_PKCS5CreateAlgorithmID
+   -  SEC_PKCS5GetCryptoAlgorithm
+   -  SEC_PKCS5GetKeyLength
+   -  SEC_PKCS5GetPBEAlgorithm
+   -  SEC_PKCS5IsAlgorithmPBEAlg
+
+.. _pkcs_.2312_functions:
+
+`PKCS #12 functions <#pkcs_.2312_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on `"Archived PKCS #12 Functions
+   documentation." <https://www-archive.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html#pkcs12>`__
+   Used to exchange data such as private keys and certificates between two parties.
+
+   -  SEC_PKCS12CreateExportContext
+   -  SEC_PKCS12CreatePasswordPrivSafe
+   -  SEC_PKCS12CreateUnencryptedSafe
+   -  SEC_PKCS12AddCertAndKey
+   -  SEC_PKCS12AddPasswordIntegrity
+   -  SEC_PKCS12EnableCipher
+   -  SEC_PKCS12Encode
+   -  SEC_PKCS12DestroyExportContext
+   -  SEC_PKCS12DecoderStart
+   -  SEC_PKCS12DecoderImportBags
+   -  SEC_PKCS12DecoderUpdate
+   -  SEC_PKCS12DecoderFinish
+   -  SEC_PKCS12DecoderValidateBags
+   -  SEC_PKCS12DecoderVerify
+   -  SEC_PKCS12DecoderGetCerts
+   -  SEC_PKCS12DecoderSetTargetTokenCAs
+   -  SEC_PKCS12DecoderIterateInit
+   -  SEC_PKCS12DecoderIterateNext
+   -  SEC_PKCS12IsEncryptionAllowed
+   -  SEC_PKCS12SetPreferredCipher
+
+.. _nspr_functions:
+
+`NSPR functions <#nspr_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   A small number of :ref:`mozilla_projects_nss_reference_nspr_functions` are required for using the
+   certificate verification and SSL functions in NSS.  These functions are listed in this section.
+
+.. _error_codes:
+
+`Error codes <#error_codes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_ssl_functions_sslerr` in the SSL Reference.
+
+.. _nss_environment_variables:
+
+`NSS Environment variables <#nss_environment_variables>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   :ref:`mozilla_projects_nss_reference_nss_environment_variables`
+
+.. _nss_cryptographic_module:
+
+`NSS cryptographic module <#nss_cryptographic_module>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   :ref:`mozilla_projects_nss_reference_nss_cryptographic_module`
+
+.. _nss_tech_notes:
+
+`NSS Tech Notes <#nss_tech_notes>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   :ref:`mozilla_projects_nss_nss_tech_notes` :ref:`mozilla_projects_nss_memory_allocation`
+
+`Tools <#tools>`__
+~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Based on :ref:`mozilla_projects_nss_tools` documentation.
+
+   Based on :ref:`mozilla_projects_nss_tools`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst b/security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst
new file mode 100644
index 0000000000..8f5b91ffe6
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst
@@ -0,0 +1,113 @@
+.. _mozilla_projects_nss_reference_nsc_inittoken:
+
+NSC_InitToken
+=============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_InitToken()`` - initialize or re-initialize a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV NSC_InitToken(
+        CK_SLOT_ID slotID,
+        CK_CHAR_PTR pPin,
+        CK_ULONG ulPinLen,
+        CK_CHAR_PTR pLabel
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_InitToken()`` has the following parameters:
+
+   ``slotID``
+      the ID of the token's slot
+   ``pPin``
+      the password of the security officer (SO)
+   ``ulPinLen``
+      the length in bytes of the SO password
+   ``pLabel``
+      points to the label of the token, which must be padded with spaces to 32 bytes and not be
+      null-terminated
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_InitToken()`` initializes a brand new token or re-initializes a token that was initialized
+   before.
+
+   Specifically, ``NSC_InitToken()`` initializes or clears the key database, removes the password,
+   and then marks all the *user certs* in the certificate database as *non-user certs*. (User certs
+   are the certificates that have their associated private keys in the key database.)
+
+   .. note::
+
+      **Note:** The SO password should be the empty string, i.e., ``ulPinLen`` argument should be 0.
+      ``NSC_InitToken()`` ignores the ``pLabel`` argument.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_InitToken()`` returns the following return codes.
+
+   -  ``CKR_OK``: token initialization succeeded.
+   -  ``CKR_SLOT_ID_INVALID``: slot ID is invalid.
+   -  ``CKR_TOKEN_WRITE_PROTECTED``
+
+      -  slot ID is 1. (The non-FIPS mode has two slots: 1 and 2. The key database is in slot 2.
+         Slot 1 doesn't have a key database.)
+      -  we don't have a reference to the key database (we failed to open the key database or we
+         have released our reference).
+
+   -  ``CKR_DEVICE_ERROR``: failed to reset the key database.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+.. _application_usage:
+
+`Application usage <#application_usage>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_InitToken()`` is used to reset the password for the key database when the user forgets the
+   password.
+
+   -  The "Reset Password" button of the Mozilla Application Suite and SeaMonkey (in
+      **Preferences->Privacy & Security->Master Passwords**) calls ``NSC_InitToken()``.
+   -  The "-T" (token reset) command of ``certutil`` calls ``NSC_InitToken()``.
+
+   .. note::
+
+      **Note:** Resetting the password clears all permanent secret and private keys. You won't be
+      able to decrypt the data, such as Mozilla's stored passwords, that were encrypted using any of
+      those keys.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  `NSC_InitPIN </en-US/NSC_InitPIN>`__, :ref:`mozilla_projects_nss_reference_fc_inittoken`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nsc_login/index.rst b/security/nss/doc/rst/legacy/reference/nsc_login/index.rst
new file mode 100644
index 0000000000..54ae57f212
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nsc_login/index.rst
@@ -0,0 +1,88 @@
+.. _mozilla_projects_nss_reference_nsc_login:
+
+NSC_Login
+=========
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_Login()`` - log a user into a token.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      CK_RV NSC_Login(
+        CK_SESSION_HANDLE hSession,
+        CK_USER_TYPE userType,
+        CK_CHAR_PTR pPin,
+        CK_ULONG ulPinLen
+      );
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_Login()`` takes four parameters:
+
+   ``hSession``
+      [in] a session handle
+   ``userType``
+      [in] the user type (``CKU_SO`` or ``CKU_USER``)
+   ``pPin``
+      [in] a pointer that points to the user's PIN
+   ``ulPinLen``
+      [in] the length of the PIN
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_Login()`` logs a user into a token.
+
+   The Security Officer (``CKU_SO``) only logs in to initialize the normal user's PIN. The SO PIN is
+   the empty string. The NSS cryptographic module doesn't allow the SO to log in if the normal
+   user's PIN is already initialized.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSC_Login()`` returns the following return codes.
+
+   -  ``CKR_OK``: the user logged in successfully.
+   -  ``CKR_DEVICE_ERROR``: the token is in the Error state.
+   -  ``CKR_HOST_MEMORY``: memory allocation failed.
+   -  ``CKR_PIN_INCORRECT``: the PIN is incorrect.
+   -  ``CKR_PIN_LEN_RANGE``: the PIN is too long (``ulPinLen`` is greater than 255).
+
+      .. note::
+
+         The function should return ``CKR_PIN_INCORRECT`` in this case.
+
+   -  ``CKR_SESSION_HANDLE_INVALID``: the session handle is invalid.
+   -  ``CKR_USER_ALREADY_LOGGED_IN``: the user is already logged in.
+   -  ``CKR_USER_TYPE_INVALID``
+
+      -  The token can't authenticate the user because there is no key database or the user's
+         password isn't initialized.
+      -  ``userType`` is ``CKU_SO`` and the normal user's PIN is already initialized.
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_login`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nspr_functions/index.rst b/security/nss/doc/rst/legacy/reference/nspr_functions/index.rst
new file mode 100644
index 0000000000..55d33200ec
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nspr_functions/index.rst
@@ -0,0 +1,126 @@
+.. _mozilla_projects_nss_reference_nspr_functions:
+
+NSPR functions
+==============
+
+.. container::
+
+   `NSPR <https://www.mozilla.org/projects/nspr/>`__ is a platform abstraction library that provides
+   a cross-platform API to common OS services.  NSS uses NSPR internally as the porting layer. 
+   However, a small number of NSPR functions are required for using the certificate verification and
+   SSL functions in NSS.  These NSPR functions are listed in this section.
+
+.. _nspr_initialization_and_shutdown:
+
+`NSPR initialization and shutdown <#nspr_initialization_and_shutdown>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   NSPR is automatically initialized by the first NSPR function called by the application.  Call
+   ```PR_Cleanup`` </en-US/PR_Cleanup>`__ to shut down NSPR and clean up its resources.\ `
+    </en-US/PR_Init>`__
+
+   -  `PR_Cleanup </en-US/PR_Cleanup>`__
+
+.. _error_reporting:
+
+`Error reporting <#error_reporting>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   NSS uses NSPR's thread-specific error code to report errors.  Call
+   ```PR_GetError`` </en-US/PR_GetError>`__ to get the error code of the last failed NSS or NSPR
+   function.  Call ```PR_SetError`` </en-US/PR_SetError>`__ to set the error code, which can be
+   retrieved with ``PR_GetError`` later.
+
+   The NSS functions ``PORT_GetError`` and ``PORT_SetError`` are simply wrappers of ``PR_GetError``
+   and ``PR_SetError``.
+
+   -  `PR_GetError </en-US/PR_GetError>`__
+   -  `PR_SetError </en-US/PR_SetError>`__
+
+.. _calendar_time:
+
+`Calendar time <#calendar_time>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   NSS certificate verification functions take a ``PRTime`` parameter that specifies the time
+   instant at which the validity of the certificate should verified.  The NSPR function
+   ```PR_Now`` </en-US/PR_Now>`__ returns the current time in ``PRTime``.
+
+   -  `PR_Now </en-US/PR_Now>`__
+
+.. _interval_time:
+
+`Interval time <#interval_time>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   The NSPR socket I/O functions ```PR_Recv`` </en-US/PR_Recv>`__ and
+   ```PR_Send`` </en-US/PR_Send>`__ (used by the NSS SSL functions) take a ``PRIntervalTime``
+   timeout parameter.  ``PRIntervalTime`` has an abstract, platform-dependent time unit.  Call
+   ```PR_SecondsToInterval`` </en-US/PR_SecondsToInterval>`__ or ``PR_MillisecondsToInterval`` to
+   convert a time interval in seconds or milliseconds to ``PRIntervalTime``.
+
+   -  `PR_SecondsToInterval </en-US/PR_SecondsToInterval>`__
+   -  `PR_MillisecondsToInterval </en-US/PR_MillisecondsToInterval>`__
+
+.. _nspr_io_layering:
+
+`NSPR I/O layering <#nspr_io_layering>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   NSPR file descriptors can be layered, corresponding to the layers in the network stack.  The SSL
+   library in NSS implements the SSL protocol as an NSPR I/O layer, which sits on top of another
+   NSPR I/O layer that represents TCP.
+
+   You can implement an NSPR I/O layer that wraps your own TCP socket code.  The following NSPR
+   functions allow you to create your own NSPR I/O layer and manipulate it.
+
+   -  `PR_GetUniqueIdentity </en-US/PR_GetUniqueIdentity>`__
+   -  `PR_CreateIOLayerStub </en-US/PR_CreateIOLayerStub>`__
+   -  `PR_GetDefaultIOMethods </en-US/PR_GetDefaultIOMethods>`__
+   -  `PR_GetIdentitiesLayer </en-US/PR_GetIdentitiesLayer>`__
+   -  `PR_GetLayersIdentity </en-US/PR_GetLayersIdentity>`__
+   -  `PR_PushIOLayer </en-US/PR_PushIOLayer>`__
+   -  `PR_PopIOLayer </en-US/PR_PopIOLayer>`__
+
+.. _wrapping_a_native_file_descriptor:
+
+`Wrapping a native file descriptor <#wrapping_a_native_file_descriptor>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   If your current TCP socket code uses the standard BSD socket API, a lighter-weight method than
+   creating your own NSPR I/O layer is to simply import a native file descriptor into NSPR.  This
+   method is convenient and works for most applications.
+
+   -  `PR_ImportTCPSocket </en-US/PR_ImportTCPSocket>`__
+
+.. _socket_io_functions:
+
+`Socket I/O functions <#socket_io_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   As mentioned above, the SSL library in NSS implements the SSL protocol as an NSPR I/O layer. 
+   Users call NSPR socket I/O functions to read from, write to, and shut down an SSL connection, and
+   to close an NSPR file descriptor.
+
+   -  `PR_Read </en-US/PR_Read>`__
+   -  `PR_Write </en-US/PR_Write>`__
+   -  `PR_Recv </en-US/PR_Recv>`__
+   -  `PR_Send </en-US/PR_Send>`__
+   -  `PR_GetSocketOption </en-US/PR_GetSocketOption>`__
+   -  `PR_SetSocketOption </en-US/PR_SetSocketOption>`__
+   -  `PR_Shutdown </en-US/PR_Shutdown>`__
+   -  `PR_Close </en-US/PR_Close>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst b/security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst
new file mode 100644
index 0000000000..01d694d49b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst
@@ -0,0 +1,609 @@
+.. _mozilla_projects_nss_reference_nss_certificate_functions:
+
+NSS Certificate Functions
+=========================
+
+.. _certificate_functions:
+
+`Certificate Functions <#certificate_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   This chapter describes the functions and related types used to work with a certificate database
+   such as the cert8.db database provided with NSS. This was converted from `"Chapter 5: Certificate
+   Functions" <https://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslcrt.html>`__.
+
+   -  :ref:`mozilla_projects_nss_reference`
+   -  `Validating Certificates <NSS_Certificate_Functions#Validating_Certificates>`__
+   -  `Manipulating Certificates <NSS_Certificate_Functions#Manipulating_Certificates>`__
+   -  `Getting Certificate
+      Information <NSS_Certificate_Functions#Getting_Certificate_Information>`__
+   -  `Comparing SecItem Objects <NSS_Certificate_Functions#Comparing_SecItem_Objects>`__
+
+   .. rubric:: Validating Certificates
+      :name: validating_certificates
+
+   -  `CERT_VerifyCertNow <NSS_Certificate_Functions#CERT_VerifyCertNow>`__
+   -  `CERT_VerifyCert <NSS_Certificate_Functions#CERT_VerifyCert>`__
+   -  `CERT_VerifyCertName <NSS_Certificate_Functions#CERT_VerifyCertName>`__
+   -  `CERT_CheckCertValidTimes <NSS_Certificate_Functions#CERT_CheckCertValidTimes>`__
+   -  `NSS_CmpCertChainWCANames <NSS_Certificate_Functions#NSS_CmpCertChainWCANames>`__
+
+   .. rubric:: CERT_VerifyCertNow
+      :name: cert_verifycertnow
+
+   Checks that the current date is within the certificate's validity period and that the CA
+   signature on the certificate is valid.
+
+   .. rubric:: Syntax
+      :name: syntax
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      SECStatus CERT_VerifyCertNow(
+        CERTCertDBHandle *handle,
+        CERTCertificate *cert,
+        PRBool checkSig,
+        SECCertUsage certUsage,
+        void *wincx);
+
+   .. rubric:: Parameters
+      :name: parameters
+
+   This function has the following parameters:
+
+   *handle*\ A pointer to the certificate database handle.
+
+   *cert*\ A pointer to the certificate to be checked.
+
+   *checkSig*\ Indicates whether certificate signatures are to be checked.
+
+   -  PR_TRUE means certificate signatures are to be checked.
+   -  PR_FALSE means certificate signatures will not be checked.
+
+   *certUsage*\ One of these values:
+
+   -  certUsageSSLClient
+   -  certUsageSSLServer
+   -  certUsageSSLServerWithStepUp
+   -  certUsageSSLCA
+   -  certUsageEmailSigner
+   -  certUsageEmailRecipient
+   -  certUsageObjectSigner
+   -  certUsageUserCertImport
+   -  certUsageVerifyCA
+   -  certUsageProtectedObjectSigner
+
+   *wincx*\ The PIN argument value to pass to PK11 functions. See description below for more
+   information.
+
+   .. rubric:: Returns
+      :name: returns
+
+   The function returns one of these values:
+
+   -  If successful, SECSuccess.
+   -  If unsuccessful, SECFailure. Use PR_GetError to obtain the error code.
+
+   .. rubric:: Description
+      :name: description
+
+   The CERT_VerifyCertNow function must call one or more PK11 functions to obtain the services of a
+   PKCS #11 module. Some of the PK11 functions require a PIN argument (see SSL_SetPKCS11PinArg for
+   details), which must be specified in the wincx parameter. To obtain the value to pass in the
+   wincx parameter, call SSL_RevealPinArg.
+
+   .. rubric:: CERT_VerifyCert
+      :name: cert_verifycert
+
+   Checks that the a given aribrary date is within the certificate's validity period and that the CA
+   signature on the certificate is valid. It also optionally returns a log of all the problems with
+   the chain. Calling CERT_VerifyCert with the parameters: CERT_VerifyCert(handle, cert, checkSig,
+   certUsage, PR_Now(), wincx, NULL) is equivalent to calling CERT_VerifyNow(handle, cert, checkSig,
+   certUsage, wincx).
+
+   .. rubric:: Syntax
+      :name: syntax_2
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      SECStatus CERT_VerifyCert(
+        CERTCertDBHandle *handle,
+        CERTCertificate *cert,
+        PRBool checkSig,
+        SECCertUsage certUsage,
+        int 64 t,
+        void *wincx
+        CERTVerifyLog *log);
+
+   .. rubric:: Parameters
+      :name: parameters_2
+
+   This function has the following parameters:
+
+   *handle*\ A pointer to the certificate database handle.
+
+   *cert*\ A pointer to the certificate to be checked.
+
+   *checkSig*\ Indicates whether certificate signatures are to be checked.
+
+   -  PR_TRUE means certificate signatures are to be checked.
+   -  PR_FALSE means certificate signatures will not be checked.
+
+   *certUsage*\ One of these values:
+
+   -  certUsageSSLClient
+   -  certUsageSSLServer
+   -  certUsageSSLServerWithStepUp
+   -  certUsageSSLCA
+   -  certUsageEmailSigner
+   -  certUsageEmailRecipient
+   -  certUsageObjectSigner
+   -  certUsageUserCertImport
+   -  certUsageVerifyCA
+   -  certUsageProtectedObjectSigner
+
+   *t*\ Time in which to validate the certificate.
+
+   *wincx*\ The PIN argument value to pass to PK11 functions. See description below for more
+   information.
+
+   *log*\ Optional certificate log which returns all the errors in processing a given certificate
+   chain. See :ref:`mozilla_projects_nss_certverify_log` for more information.
+
+   .. rubric:: Returns
+      :name: returns_2
+
+   The function returns one of these values:
+
+   -  If successful, SECSuccess.
+   -  If unsuccessful, SECFailure. Use PR_GetError to obtain the error code.
+
+   .. rubric:: Description
+      :name: description_2
+
+   The CERT_VerifyCert function must call one or more PK11 functions to obtain the services of a
+   PKCS #11 module. Some of the PK11 functions require a PIN argument (see SSL_SetPKCS11PinArg for
+   details), which must be specified in the wincx parameter. To obtain the value to pass in the
+   wincx parameter, call SSL_RevealPinArg.
+
+   .. rubric:: CERT_VerifyCertName
+      :name: cert_verifycertname
+
+   Compares the common name specified in the subject DN for a certificate with a specified hostname.
+
+   .. rubric:: Syntax
+      :name: syntax_3
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      SECStatus CERT_VerifyCertName(
+        CERTCertificate *cert,
+        char *hostname);
+
+   .. rubric:: Parameters
+      :name: parameters_3
+
+   This function has the following parameters:
+
+   *cert*\ A pointer to the certificate against which to check the hostname referenced by hostname.
+
+   *hostname*\ The hostname to be checked.
+
+   .. rubric:: Returns
+      :name: returns_3
+
+   The function returns one of these values:
+
+   -  If the common name in the subject DN for the certificate matches the domain name passed in the
+      hostname parameter, SECSuccess.
+   -  If the common name in the subject DN for the certificate is not identical to the domain name
+      passed in the hostname parameter, SECFailure. Use PR_GetError to obtain the error code.
+
+   .. rubric:: Description
+      :name: description_3
+
+   The comparison performed by CERT_VerifyCertName is not a simple string comparison. Instead, it
+   takes account of the following rules governing the construction of common names in SSL server
+   certificates:
+
+   -  \* matches anything
+   -   ? matches one character
+   -  \\ escapes a special character
+   -  $ matches the end of the string
+   -  [abc] matches one occurrence of a, b, or c. The only character that needs to be escaped in
+      this is ], all others are not special.
+   -  [a-z] matches any character between a and z
+   -  [^az] matches any character except a or z
+   -  ~ followed by another shell expression removes any pattern matching the shell expression from
+      the match list
+   -  (foo|bar) matches either the substring foo or the substring bar. These can be shell
+      expressions as well.
+
+   .. rubric:: CERT_CheckCertValidTimes
+      :name: cert_checkcertvalidtimes
+
+   Checks whether a specified time is within a certificate's validity period.
+
+   .. rubric:: Syntax
+      :name: syntax_4
+
+   .. code::
+
+      #include <cert.h>
+      #include <certt.h>
+
+   .. code::
+
+      SECCertTimeValidity CERT_CheckCertValidTimes(
+        CERTCertificate *cert,
+        int64 t);
+
+   .. rubric:: Parameters
+      :name: parameters_4
+
+   This function has the following parameters:
+
+   *cert*\ A pointer to the certificate whose validity period you want to check against.
+
+   *t*\ The time to check against the certificate's validity period. For more information, see the
+   NSPR header pr_time.h.
+
+   .. rubric:: Returns
+      :name: returns_4
+
+   The function returns an enumerator of type SECCertTimeValidity:
+
+   .. code::
+
+      typedef enum {
+        secCertTimeValid,
+        secCertTimeExpired,
+        secCertTimeNotValidYet
+      } SECCertTimeValidity;
+
+   .. rubric:: NSS_CmpCertChainWCANames
+      :name: nss_cmpcertchainwcanames
+
+   Determines whether any of the signers in the certificate chain for a specified certificate are on
+   a specified list of CA names.
+
+   .. rubric:: Syntax
+      :name: syntax_5
+
+   .. code::
+
+      #include <nss.h>
+
+      SECStatus NSS_CmpCertChainWCANames(
+        CERTCertificate *cert,
+        CERTDistNames *caNames);
+
+   .. rubric:: Parameters
+      :name: parameters_5
+
+   This function has the following parameters:
+
+   *cert*\ A pointer to the certificate structure for the certificate whose certificate chain is to
+   be checked.
+
+   *caNames*\ A pointer to a structure that contains a list of distinguished names (DNs) against
+   which to check the DNs for the signers in the certificate chain.
+
+   .. rubric:: Returns
+      :name: returns_5
+
+   The function returns one of these values:
+
+   -  If successful, SECSuccess.
+   -  If unsuccessful, SECFailure. Use PR_GetError to obtain the error code.
+
+   .. rubric:: Manipulating Certificates
+      :name: manipulating_certificates
+
+   -  `CERT_DupCertificate <#cert_dupcertificate>`__
+   -  `CERT_DestroyCertificate <#cert_destroycertificate>`__
+
+   .. rubric:: CERT_DupCertificate
+      :name: cert_dupcertificate
+
+   Makes a shallow copy of a specified certificate.
+
+   .. rubric:: Syntax
+      :name: syntax_6
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      CERTCertificate *CERT_DupCertificate(CERTCertificate *c)
+
+   .. rubric:: Parameter
+      :name: parameter
+
+   This function has the following parameter:
+
+   *c*\ A pointer to the certificate object to be duplicated.
+
+   .. rubric:: Returns
+      :name: returns_6
+
+   If successful, the function returns a pointer to a certificate object of type CERTCertificate.
+
+   .. rubric:: Description
+      :name: description_4
+
+   The CERT_DupCertificate function increments the reference count for the certificate passed in the
+   c parameter.
+
+   .. rubric:: CERT_DestroyCertificate
+      :name: cert_destroycertificate
+
+   Destroys a certificate object.
+
+   .. rubric:: Syntax
+      :name: syntax_7
+
+   .. code::
+
+      #include <cert.h>
+      #include <certt.h>
+
+   .. code::
+
+      void CERT_DestroyCertificate(CERTCertificate *cert);
+
+   .. rubric:: Parameters
+      :name: parameters_6
+
+   This function has the following parameter:
+
+   *cert*\ A pointer to the certificate to destroy.
+
+   .. rubric:: Description
+      :name: description_5
+
+   Certificate and key structures are shared objects. When an application makes a copy of a
+   particular certificate or key structure that already exists in memory, SSL makes a shallow
+   copy--that is, it increments the reference count for that object rather than making a whole new
+   copy. When you call CERT_DestroyCertificate or SECKEY_DestroyPrivateKey, the function decrements
+   the reference count and, if the reference count reaches zero as a result, both frees the memory
+   and sets all the bits to zero. The use of the word "destroy" in function names or in the
+   description of a function implies reference counting.
+
+   Never alter the contents of a certificate or key structure. If you attempt to do so, the change
+   affects all the shallow copies of that structure and can cause severe problems.
+
+   .. rubric:: Getting Certificate Information
+      :name: getting_certificate_information
+
+   -  `CERT_FindCertByName <#cert_findcertbyname>`__
+   -  `CERT_GetCertNicknames <#cert_getcertnicknames>`__
+   -  `CERT_FreeNicknames <#cert_freenicknames>`__
+   -  `CERT_GetDefaultCertDB <#cert_getdefaultcertdb>`__
+   -  `NSS_FindCertKEAType <#nss_findcertkeatype>`__
+
+   .. rubric:: CERT_FindCertByName
+      :name: cert_findcertbyname
+
+   Finds the certificate in the certificate database with a specified DN.
+
+   .. rubric:: Syntax
+      :name: syntax_8
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      CERTCertificate *CERT_FindCertByName (
+        CERTCertDBHandle *handle,
+        SECItem *name);
+
+   .. rubric:: Parameters
+      :name: parameters_7
+
+   This function has the following parameters:
+
+   *handle*\ A pointer to the certificate database handle.
+
+   *name*\ The subject DN of the certificate you wish to find.
+
+   .. rubric:: Returns
+      :name: returns_7
+
+   If successful, the function returns a certificate object of type CERTCertificate.
+
+   .. rubric:: CERT_GetCertNicknames
+      :name: cert_getcertnicknames
+
+   Returns the nicknames of the certificates in a specified certificate database.
+
+   .. rubric:: Syntax
+      :name: syntax_9
+
+   .. code::
+
+      #include <cert.h>
+      #include <certt.h>
+
+   .. code::
+
+      CERTCertNicknames *CERT_GetCertNicknames (
+        CERTCertDBHandle *handle,
+        int what,
+        void *wincx);
+
+   .. rubric:: Parameters
+      :name: parameters_8
+
+   This function has the following parameters:
+
+   *handle*\ A pointer to the certificate database handle.
+
+   *what*\ One of these values:
+
+   -  SEC_CERT_NICKNAMES_ALL
+   -  SEC_CERT_NICKNAMES_USER
+   -  SEC_CERT_NICKNAMES_SERVER
+   -  SEC_CERT_NICKNAMES_CA
+
+   *wincx*\ The PIN argument value to pass to PK11 functions. See description below for more
+   information.
+
+   .. rubric:: Returns
+      :name: returns_8
+
+   The function returns a CERTCertNicknames object containing the requested nicknames.
+
+   .. rubric:: Description
+      :name: description_6
+
+   CERT_GetCertNicknames must call one or more PK11 functions to obtain the services of a PKCS #11
+   module. Some of the PK11 functions require a PIN argument (see SSL_SetPKCS11PinArg for details),
+   which must be specified in the wincx parameter. To obtain the value to pass in the wincx
+   parameter, call SSL_RevealPinArg.
+
+   .. rubric:: CERT_FreeNicknames
+      :name: cert_freenicknames
+
+   Frees a CERTCertNicknames structure. This structure is returned by CERT_GetCertNicknames.
+
+   .. rubric:: Syntax
+      :name: syntax_10
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      void CERT_FreeNicknames(CERTCertNicknames *nicknames);
+
+   .. rubric:: Parameters
+      :name: parameters_9
+
+   This function has the following parameter:
+
+   *nicknames*\ A pointer to the CERTCertNicknames structure to be freed.
+
+   .. rubric:: CERT_GetDefaultCertDB
+      :name: cert_getdefaultcertdb
+
+   Returns a handle to the default certificate database.
+
+   .. rubric:: Syntax
+      :name: syntax_11
+
+   .. code::
+
+      #include <cert.h>
+
+   .. code::
+
+      CERTCertDBHandle *CERT_GetDefaultCertDB(void);
+
+   .. rubric:: Returns
+      :name: returns_9
+
+   The function returns the CERTCertDBHandle for the default certificate database.
+
+   .. rubric:: Description
+      :name: description_7
+
+   This function is useful for determining whether the default certificate database has been opened.
+
+   .. rubric:: NSS_FindCertKEAType
+      :name: nss_findcertkeatype
+
+   Returns key exchange type of the keys in an SSL server certificate.
+
+   .. rubric:: Syntax
+      :name: syntax_12
+
+   .. code::
+
+      #include <nss.h>
+
+   .. code::
+
+      SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
+
+   .. rubric:: Parameter
+      :name: parameter_2
+
+   This function has the following parameter:
+
+   *a*\ The certificate to check.
+
+   .. rubric:: Returns
+      :name: returns_10
+
+   The function returns one of these values:
+
+   -  kt_null = 0
+   -  kt_rsa
+   -  kt_dh
+   -  kt_fortezza
+   -  kt_kea_size
+
+   .. rubric:: Comparing SecItem Objects
+      :name: comparing_secitem_objects
+
+   .. rubric:: SECITEM_CompareItem
+      :name: secitem_compareitem
+
+   Compares two SECItem objects and returns a SECComparison enumerator that shows the difference
+   between them.
+
+   .. rubric:: Syntax
+      :name: syntax_13
+
+   .. code::
+
+      #include <secitem.h>
+      #include <seccomon.h>
+
+   .. code::
+
+      SECComparison SECITEM_CompareItem(
+        SECItem *a,
+        SECItem *b);
+
+   .. rubric:: Parameters
+      :name: parameters_10
+
+   This function has the following parameters:
+
+   *a*\ A pointer to one of the items to be compared.
+
+   *b*\ A pointer to one of the items to be compared.
+
+   .. rubric:: Returns
+      :name: returns_11
+
+   The function returns an enumerator of type SECComparison.
+
+   .. code::
+
+      typedef enum _SECComparison {
+        SECLessThan                = -1,
+        SECEqual                = 0,
+        SECGreaterThan = 1
+      } SECComparison;
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst b/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst
new file mode 100644
index 0000000000..4d18113f53
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst
@@ -0,0 +1,190 @@
+.. _mozilla_projects_nss_reference_nss_cryptographic_module_fips_mode_of_operation:
+
+FIPS mode of operation
+======================
+
+.. _general-purpose_functions:
+
+`General-purpose functions <#general-purpose_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_getfunctionlist`
+   -  :ref:`mozilla_projects_nss_reference_fc_initialize`
+   -  :ref:`mozilla_projects_nss_reference_fc_finalize`
+   -  :ref:`mozilla_projects_nss_reference_fc_getinfo`
+
+.. _slot_and_token_management_functions:
+
+`Slot and token management functions <#slot_and_token_management_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_getslotlist`
+   -  :ref:`mozilla_projects_nss_reference_fc_getslotinfo`
+   -  :ref:`mozilla_projects_nss_reference_fc_gettokeninfo`
+   -  :ref:`mozilla_projects_nss_reference_fc_waitforslotevent`
+   -  :ref:`mozilla_projects_nss_reference_fc_getmechanismlist`
+   -  :ref:`mozilla_projects_nss_reference_fc_getmechanisminfo`
+   -  :ref:`mozilla_projects_nss_reference_fc_inittoken`
+   -  :ref:`mozilla_projects_nss_reference_fc_initpin`
+   -  :ref:`mozilla_projects_nss_reference_fc_setpin`
+
+.. _session_management_functions:
+
+`Session management functions <#session_management_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_opensession`
+   -  :ref:`mozilla_projects_nss_reference_fc_closesession`
+   -  :ref:`mozilla_projects_nss_reference_fc_closeallsessions`
+   -  :ref:`mozilla_projects_nss_reference_fc_getsessioninfo`
+   -  :ref:`mozilla_projects_nss_reference_fc_getoperationstate`
+   -  :ref:`mozilla_projects_nss_reference_fc_setoperationstate`
+   -  :ref:`mozilla_projects_nss_reference_fc_login`
+   -  :ref:`mozilla_projects_nss_reference_fc_logout`
+
+.. _object_management_functions:
+
+`Object management functions <#object_management_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions manage certificates and keys.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_createobject`
+   -  :ref:`mozilla_projects_nss_reference_fc_copyobject`
+   -  :ref:`mozilla_projects_nss_reference_fc_destroyobject`
+   -  :ref:`mozilla_projects_nss_reference_fc_getobjectsize`
+   -  :ref:`mozilla_projects_nss_reference_fc_getattributevalue`
+   -  :ref:`mozilla_projects_nss_reference_fc_setattributevalue`
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjectsinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjects`
+   -  :ref:`mozilla_projects_nss_reference_fc_findobjectsfinal`
+
+.. _encryption_functions:
+
+`Encryption functions <#encryption_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions support Triple DES and AES in ECB and CBC modes.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_encrypt`
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_encryptfinal`
+
+.. _decryption_functions:
+
+`Decryption functions <#decryption_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions support Triple DES and AES in ECB and CBC modes.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_decrypt`
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptfinal`
+
+.. _message_digesting_functions:
+
+`Message digesting functions <#message_digesting_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions support SHA-1, SHA-256, SHA-384, and SHA-512.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_digest`
+   -  :ref:`mozilla_projects_nss_reference_fc_digestupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_digestkey`
+   -  :ref:`mozilla_projects_nss_reference_fc_digestfinal`
+
+.. _signature_and_mac_generation_functions:
+
+`Signature and MAC generation functions <#signature_and_mac_generation_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions support DSA, RSA, ECDSA, and HMAC.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_signinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_sign`
+   -  :ref:`mozilla_projects_nss_reference_fc_signupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_signfinal`
+   -  :ref:`mozilla_projects_nss_reference_fc_signrecoverinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_signrecover`
+
+.. _signature_and_mac_verification_functions:
+
+`Signature and MAC verification functions <#signature_and_mac_verification_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These functions support DSA, RSA, ECDSA, and HMAC.
+
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_verify`
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyfinal`
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyrecoverinit`
+   -  :ref:`mozilla_projects_nss_reference_fc_verifyrecover`
+
+.. _dual-function_cryptographic_functions:
+
+`Dual-function cryptographic functions <#dual-function_cryptographic_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_digestencryptupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptdigestupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_signencryptupdate`
+   -  :ref:`mozilla_projects_nss_reference_fc_decryptverifyupdate`
+
+.. _key_management_functions:
+
+`Key management functions <#key_management_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_generatekey`: DSA domain parameters (PQG)
+   -  :ref:`mozilla_projects_nss_reference_fc_generatekeypair`: DSA, RSA, and ECDSA. Performs
+      pair-wise consistency test.
+   -  :ref:`mozilla_projects_nss_reference_fc_wrapkey`: RSA Key Wrapping
+   -  :ref:`mozilla_projects_nss_reference_fc_unwrapkey`: RSA Key Wrapping
+   -  :ref:`mozilla_projects_nss_reference_fc_derivekey`: Diffie-Hellman, EC Diffie-Hellman
+
+.. _random_number_generation_functions:
+
+`Random number generation functions <#random_number_generation_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_seedrandom`
+   -  :ref:`mozilla_projects_nss_reference_fc_generaterandom`: Performs continuous random number
+      generator test.
+
+.. _parallel_function_management_functions:
+
+`Parallel function management functions <#parallel_function_management_functions>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  :ref:`mozilla_projects_nss_reference_fc_getfunctionstatus`
+   -  :ref:`mozilla_projects_nss_reference_fc_cancelfunction`
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst b/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst
new file mode 100644
index 0000000000..f413798bac
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst
@@ -0,0 +1,29 @@
+.. _mozilla_projects_nss_reference_nss_cryptographic_module:
+
+NSS cryptographic module
+========================
+
+.. container::
+
+   This chapter describes the data types and functions that one can use to perform cryptographic
+   operations with the NSS cryptographic module. The NSS cryptographic module uses the industry
+   standard `PKCS #11 <http://www.rsasecurity.com/rsalabs/node.asp?id=2133>`__ v2.20 as its API with
+   some extensions. Therefore, an application that supports PKCS #11 cryptographic tokens can be
+   easily modified to use the NSS cryptographic module.
+
+   The NSS cryptographic module has two modes of operation: the non-FIPS (default) mode and FIPS
+   mode. The FIPS mode is an Approved mode of operation compliant to FIPS 140-2. Both modes of
+   operation use the same data types but are implemented by different functions.
+
+   -  The standard PKCS #11 function C_GetFunctionList or the equivalent NSC_GetFunctionList
+      function returns pointers to the functions that implement the default mode of operation.
+   -  To enable the FIPS mode of operation, use the function FC_GetFunctionList instead to get
+      pointers to the functions that implement the FIPS mode of operation.
+
+   The NSS cryptographic module also exports the function NSC_ModuleDBFunc for managing the NSS
+   module database secmod.db. The following sections document the data types and functions.
+
+   -  :ref:`mozilla_projects_nss_reference_nss_cryptographic_module_data_types`
+   -  :ref:`mozilla_projects_nss_pkcs11_functions`
+   -  :ref:`mozilla_projects_nss_reference_nss_cryptographic_module_fips_mode_of_operation`
+   -  NSC_ModuleDBFunc
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst b/security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst
new file mode 100644
index 0000000000..2482565967
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst
@@ -0,0 +1,515 @@
+.. _mozilla_projects_nss_reference_nss_environment_variables:
+
+NSS environment variables
+=========================
+
+.. container::
+
+   .. note::
+
+      **Note: NSS Environment Variables are subject to be changed and/or removed from NSS.**
+
+.. _run-time_environment_variables:
+
+`Run-Time Environment Variables <#run-time_environment_variables>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a
+   separate set of environment variables that affect how NSS is built, documented below.
+
+   +------------------------+------------------------+------------------------+------------------------+
+   | Variable               | Type                   | Description            | Introduced in version  |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSRANDCOUNT``        | Integer                | Sets the maximum       | 3.12.3                 |
+   |                        | (byte count)           | number of bytes to     |                        |
+   |                        |                        | read from the file     |                        |
+   |                        |                        | named in the           |                        |
+   |                        |                        | environment variable   |                        |
+   |                        |                        | NSRANDFILE (see        |                        |
+   |                        |                        | below).  Makes         |                        |
+   |                        |                        | NSRANDFILE usable with |                        |
+   |                        |                        | /dev/urandom.          |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSRANDFILE``         | String                 | Uses this file to seed | Before 3.0             |
+   |                        | (file name)            | the Pseudo Random      |                        |
+   |                        |                        | Number Generator.      |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_ALLO             | Boolean                | Enables the use of MD2 | 3.12.3                 |
+   | W_WEAK_SIGNATURE_ALG`` | (any non-empty value   | and MD4 inside         |                        |
+   |                        | to enable)             | signatures. This was   |                        |
+   |                        |                        | allowed by default     |                        |
+   |                        |                        | before NSS 3.12.3.     |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS                  | String                 | Name the PKCS#11       | 3.6                    |
+   | _DEBUG_PKCS11_MODULE`` | (module name)          | module to be traced.   |                        |
+   |                        |                        | :ref:`mozilla          |                        |
+   |                        |                        | _projects_nss_nss_tech |                        |
+   |                        |                        | _notes_nss_tech_note2` |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | `                      | String                 | Determines the default | 3.12                   |
+   | `NSS_DEFAULT_DB_TYPE`` | ("dbm", "sql", or      | Database type to open  |                        |
+   |                        | "extern")              | if the app does not    |                        |
+   |                        |                        | specify.               |                        |
+   |                        |                        | `NSS_Shared_D          |                        |
+   |                        |                        | B <http://wiki.mozilla |                        |
+   |                        |                        | .org/NSS_Shared_DB>`__ |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_DIS              | String                 | Define this variable   | 3.4                    |
+   | ABLE_ARENA_FREE_LIST`` | (any non-empty value)  | to get accurate leak   |                        |
+   |                        |                        | allocation stacks when |                        |
+   |                        |                        | using leak reporting   |                        |
+   |                        |                        | software.              |                        |
+   |                        |                        | :                      |                        |
+   |                        |                        | ref:`mozilla_projects_ |                        |
+   |                        |                        | nss_memory_allocation` |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_DISABLE_UNLOAD`` | String                 | Disable unloading of   | 3.11.8                 |
+   |                        | (any non-empty value)  | dynamically loaded NSS |                        |
+   |                        |                        | shared libraries       |                        |
+   |                        |                        | during shutdown.       |                        |
+   |                        |                        | Necessary on some      |                        |
+   |                        |                        | platforms to get       |                        |
+   |                        |                        | correct function names |                        |
+   |                        |                        | when using leak        |                        |
+   |                        |                        | reporting software.    |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_ENABLE_AUDIT``   | Boolean                | Enable auditing of     | 3.11.2                 |
+   |                        | (1 to enable)          | activities of the NSS  |                        |
+   |                        |                        | cryptographic module   |                        |
+   |                        |                        | in FIPS mode. `Audit   |                        |
+   |                        |                        | Data <http://wiki.     |                        |
+   |                        |                        | mozilla.org/FIPS_Opera |                        |
+   |                        |                        | tional_Environment>`__ |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NS                   | Boolean                | Use libPKIX, rather    | 3.12                   |
+   | S_ENABLE_PKIX_VERIFY`` | (any non-empty value   | than the old cert      |                        |
+   |                        | to enable)             | library, to verify     |                        |
+   |                        |                        | certificates.          |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_FIPS``           | String                 | Will start NSS in FIPS | 3.12.5                 |
+   |                        | ("                     | mode.                  |                        |
+   |                        | fips","true","on","1") |                        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``                     | String                 | Specifies agorithms    | 3.12.3                 |
+   | NSS_HASH_ALG_SUPPORT`` |                        | allowed to be used in  |                        |
+   |                        |                        | certain applications,  |                        |
+   |                        |                        | such as in signatures  |                        |
+   |                        |                        | on certificates and    |                        |
+   |                        |                        | CRLs. See              |                        |
+   |                        |                        | documentation at `this |                        |
+   |                        |                        | link <https://bugzill  |                        |
+   |                        |                        | a.mozilla.org/show_bug |                        |
+   |                        |                        | .cgi?id=483113#c0>`__. |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_OUTPUT_FILE``    | String                 | Output file path name  | 3.7                    |
+   |                        | (filename)             | for the                |                        |
+   |                        |                        | :ref:`mozilla_         |                        |
+   |                        |                        | projects_nss_nss_tech_ |                        |
+   |                        |                        | notes_nss_tech_note2`. |                        |
+   |                        |                        | Default is stdout.     |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_SDB_USE_CACHE``  | String                 | Controls whether NSS   | 3.12                   |
+   |                        | ("no","yes","auto")    | uses a local cache of  |                        |
+   |                        |                        | SQL database contents. |                        |
+   |                        |                        | Default is "auto". See |                        |
+   |                        |                        | `the                   |                        |
+   |                        |                        | source <http://bonsai  |                        |
+   |                        |                        | .mozilla.org/cvsblame. |                        |
+   |                        |                        | cgi?file=/mozilla/secu |                        |
+   |                        |                        | rity/nss/lib/softoken/ |                        |
+   |                        |                        | sdb.c&rev=1.6#1797>`__ |                        |
+   |                        |                        | for more information.  |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | `NS                    | String ("0", "1")      | Controls the           |                        |
+   | S_SSL_CBC_RANDOM_IV <h |                        | workaround for the     |                        |
+   | ttps://dxr.mozilla.org |                        | `BEAST <https          |                        |
+   | /security/search?q=NSS |                        | ://en.wikipedia.org/wi |                        |
+   | _SSL_CBC_RANDOM_IV>`__ |                        | ki/Transport_Layer_Sec |                        |
+   |                        |                        | urity#BEAST_attack>`__ |                        |
+   |                        |                        | attack on SSL 3.0 and  |                        |
+   |                        |                        | TLS 1.0. "0" disables  |                        |
+   |                        |                        | it, "1" enables it. It |                        |
+   |                        |                        | is also known as 1/n-1 |                        |
+   |                        |                        | record splitting.      |                        |
+   |                        |                        | Default is "1".        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_SSL_             | String                 | (Definition for NSS    | 3.12.5                 |
+   | ENABLE_RENEGOTIATION`` | ([0|n|N],              | 3.12.6 and above)      | Modified in 3.12.6     |
+   |                        | [1|u|U],               | Sets how TLS           |                        |
+   |                        | [2|r|R],               | renegotiation is       |                        |
+   |                        | [3|t|T])               | handled                |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  [1|u|U]:            |                        |
+   |                        |                        |    SSL_RE              |                        |
+   |                        |                        | NEGOTIATE_UNRESTRICTED |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | | Server and client    |                        |
+   |                        |                        |   are allowed to       |                        |
+   |                        |                        |   renegotiate without  |                        |
+   |                        |                        |   any restrictions.    |                        |
+   |                        |                        | | This setting was the |                        |
+   |                        |                        |   default prior 3.12.5 |                        |
+   |                        |                        |   and makes products   |                        |
+   |                        |                        |   vulnerable.          |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  [0|n|N]:            |                        |
+   |                        |                        |                        |                        |
+   |                        |                        |  SSL_RENEGOTIATE_NEVER |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | Never allow            |                        |
+   |                        |                        | renegotiation - That   |                        |
+   |                        |                        | was the default for    |                        |
+   |                        |                        | 3.12.5 release.        |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  [3|t|T]:            |                        |
+   |                        |                        |    SSL_RE              |                        |
+   |                        |                        | NEGOTIATE_TRANSITIONAL |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | Disallows unsafe       |                        |
+   |                        |                        | renegotiation in       |                        |
+   |                        |                        | server sockets only,   |                        |
+   |                        |                        | but allows clients to  |                        |
+   |                        |                        | continue to            |                        |
+   |                        |                        | renegotiate with       |                        |
+   |                        |                        | vulnerable servers.    |                        |
+   |                        |                        | This value should only |                        |
+   |                        |                        | be used during the     |                        |
+   |                        |                        | transition period when |                        |
+   |                        |                        | few servers have been  |                        |
+   |                        |                        | upgraded.              |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  [2|r|R]:            |                        |
+   |                        |                        |    SSL_RE              |                        |
+   |                        |                        | NEGOTIATE_REQUIRES_XTN |                        |
+   |                        |                        |    (default)           |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | | Only allows          |                        |
+   |                        |                        |   renegotiation if the |                        |
+   |                        |                        |   peer's hello bears   |                        |
+   |                        |                        |   the TLS              |                        |
+   |                        |                        |   renegotiation_info   |                        |
+   |                        |                        |   extension.           |                        |
+   |                        |                        | | This is the safe     |                        |
+   |                        |                        |   renegotiation.       |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_SSL_REQU         | Boolean                | It controls whether    | 3.12.5                 |
+   | IRE_SAFE_NEGOTIATION`` | (1 to enable)          | safe renegotiation     |                        |
+   |                        |                        | indication is required |                        |
+   |                        |                        | for initial handshake. |                        |
+   |                        |                        | In other words a       |                        |
+   |                        |                        | connection will be     |                        |
+   |                        |                        | dropped at initial     |                        |
+   |                        |                        | handshake if a server  |                        |
+   |                        |                        | or client do not       |                        |
+   |                        |                        | support safe           |                        |
+   |                        |                        | renegotiation. The     |                        |
+   |                        |                        | default setting for    |                        |
+   |                        |                        | this option is FALSE.  |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_SSL_SERVER       | Integer                | Timeout time to detect | 3.4                    |
+   | _CACHE_MUTEX_TIMEOUT`` | (seconds)              | dead or hung process   |                        |
+   |                        |                        | in multi-process SSL   |                        |
+   |                        |                        | server. Default is 30  |                        |
+   |                        |                        | seconds.               |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_STRICT_NOFORK``  | String                 | It is an error to try  | 3.12.3                 |
+   |                        | ("1",                  | to use a PKCS#11       |                        |
+   |                        | "DISABLED",            | crypto module in a     |                        |
+   |                        | or any other non-empty | process before it has  |                        |
+   |                        | value)                 | been initialized in    |                        |
+   |                        |                        | that process, even if  |                        |
+   |                        |                        | the module was         |                        |
+   |                        |                        | initialized in the     |                        |
+   |                        |                        | parent process.        |                        |
+   |                        |                        | Beginning in NSS       |                        |
+   |                        |                        | 3.12.3, Softoken will  |                        |
+   |                        |                        | detect this error.     |                        |
+   |                        |                        | This environment       |                        |
+   |                        |                        | variable controls      |                        |
+   |                        |                        | Softoken's response to |                        |
+   |                        |                        | that error.            |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  If set to "1" or    |                        |
+   |                        |                        |    unset, Softoken     |                        |
+   |                        |                        |    will trigger an     |                        |
+   |                        |                        |    assertion failure   |                        |
+   |                        |                        |    in debug builds,    |                        |
+   |                        |                        |    and will report an  |                        |
+   |                        |                        |    error in non-DEBUG  |                        |
+   |                        |                        |    builds.             |                        |
+   |                        |                        | -  If set  to          |                        |
+   |                        |                        |    "DISABLED",         |                        |
+   |                        |                        |    Softoken will       |                        |
+   |                        |                        |    ignore forks, and   |                        |
+   |                        |                        |    behave as it did in |                        |
+   |                        |                        |    older versions.     |                        |
+   |                        |                        | -  If set to any other |                        |
+   |                        |                        |    non-empty value,    |                        |
+   |                        |                        |    Softoken will       |                        |
+   |                        |                        |    report an error in  |                        |
+   |                        |                        |    both DEBUG and      |                        |
+   |                        |                        |    non-DEBUG builds.   |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | `                      | String                 | will trigger an        | 3.5                    |
+   | `NSS_STRICT_SHUTDOWN`` | (any non-empty value)  | assertion failure in   |                        |
+   |                        |                        | debug builds when a    |                        |
+   |                        |                        | program tries to       |                        |
+   |                        |                        | shutdown NSS before    |                        |
+   |                        |                        | freeing all the        |                        |
+   |                        |                        | resources it acquired  |                        |
+   |                        |                        | from NSS while NSS was |                        |
+   |                        |                        | initialized.           |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_TRACE_OCSP``     | Boolean                | Enables OCSP tracing.  | 3.12                   |
+   |                        | (any value to enable)  | The trace information  |                        |
+   |                        |                        | is written to the file |                        |
+   |                        |                        | pointed by             |                        |
+   |                        |                        | NSPR_LOG_FILE (default |                        |
+   |                        |                        | stderr). See `NSS      |                        |
+   |                        |                        | trac                   |                        |
+   |                        |                        | ing <http://wiki.mozil |                        |
+   |                        |                        | la.org/NSS:Tracing>`__ |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_USE_             | Boolean                | Tells NSS to send EC   | 3.12.3                 |
+   | DECODED_CKA_EC_POINT`` | (any value to enable)  | key points across the  |                        |
+   |                        |                        | PKCS#11 interface in   |                        |
+   |                        |                        | the non-standard       |                        |
+   |                        |                        | unencoded format that  |                        |
+   |                        |                        | was used by default    |                        |
+   |                        |                        | before NSS 3.12.3.     |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_US               | Boolean                | Tells NSS to allow     | 3.12.3                 |
+   | E_SHEXP_IN_CERT_NAME`` | (any value to enable)  | shell-style wildcard   |                        |
+   |                        |                        | patterns in            |                        |
+   |                        |                        | certificates to match  |                        |
+   |                        |                        | SSL server host names. |                        |
+   |                        |                        | This behavior was the  |                        |
+   |                        |                        | default before NSS     |                        |
+   |                        |                        | 3.12.3.                |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``PKIX_OBJECT_LEA      | String                 | Debug variable for     | 3.12                   |
+   | K_TEST_ABORT_ON_LEAK`` | (any non-empty value)  | PKIX leak checking.    |                        |
+   |                        |                        | Note: *The code must   |                        |
+   |                        |                        | be built with          |                        |
+   |                        |                        | PKIX_OBJECT_LEAK_TEST  |                        |
+   |                        |                        | defined to use this    |                        |
+   |                        |                        | functionality.*        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SOCKETTRACE``        | Boolean                | Controls tracing of    | 3.12                   |
+   |                        | (1 to enable)          | socket activity by     |                        |
+   |                        |                        | libPKIX. Messages sent |                        |
+   |                        |                        | and received will be   |                        |
+   |                        |                        | timestamped and dumped |                        |
+   |                        |                        | (to stdout) in         |                        |
+   |                        |                        | standard hex-dump      |                        |
+   |                        |                        | format.                |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SQLITE               | Boolean                | 1 means force always   | 3.12.6                 |
+   | _FORCE_PROXY_LOCKING`` | (1 to enable)          | use proxy, 0 means     |                        |
+   |                        |                        | never use proxy, NULL  |                        |
+   |                        |                        | means use proxy for    |                        |
+   |                        |                        | non-local files only.  |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLBYPASS``          | Boolean                | Uses PKCS#11 bypass    | 3.11                   |
+   |                        | (1 to enable)          | for performance        |                        |
+   |                        |                        | improvement.           |                        |
+   |                        |                        | Do not set this        |                        |
+   |                        |                        | variable if FIPS is    |                        |
+   |                        |                        | enabled.               |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLDEBUG``           | Integer                | Debug level            | Before 3.0             |
+   |                        |                        | Note: *The code must   |                        |
+   |                        |                        | be built with DEBUG    |                        |
+   |                        |                        | defined to use this    |                        |
+   |                        |                        | functionality.*        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLDEBUGFILE``       | String                 | File where debug or    | 3.12                   |
+   |                        | (file name)            | trace information is   |                        |
+   |                        |                        | written.               |                        |
+   |                        |                        | If not set, the debug  |                        |
+   |                        |                        | or trace information   |                        |
+   |                        |                        | is written to stderr.  |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | Note: *SSLDEBUG or     |                        |
+   |                        |                        | SSLTRACE have to be    |                        |
+   |                        |                        | set to use this        |                        |
+   |                        |                        | functionality.*        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLFORCELOCKS``      | Boolean                | Forces NSS to use      | 3.11                   |
+   |                        | (1 to enable)          | locks for protection.  |                        |
+   |                        |                        | Overrides the effect   |                        |
+   |                        |                        | of SSL_NO_LOCKS (see   |                        |
+   |                        |                        | ssl.h).                |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLKEYLOGFILE``      | String                 | Key log file. If set,  | 3.12.6                 |
+   |                        | (file name)            | NSS logs RSA           |                        |
+   |                        |                        | pre-master secrets to  |                        |
+   |                        |                        | this file. This allows |                        |
+   |                        |                        | packet sniffers to     |                        |
+   |                        |                        | decrypt TLS            |                        |
+   |                        |                        | connections. See       |                        |
+   |                        |                        | :ref:`mozilla_project  |                        |
+   |                        |                        | s_nss_key_log_format`. |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``SSLTRACE``           | Integer                | Tracing level          | Before 3.0             |
+   |                        |                        | Note: *The code must   |                        |
+   |                        |                        | be built with TRACE    |                        |
+   |                        |                        | defined to use this    |                        |
+   |                        |                        | functionality.*        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+
+.. _build-time_environment_variables:
+
+`Build-Time Environment Variables <#build-time_environment_variables>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   These environment variables affect the build (compilation) of NSS.
+
+   .. note::
+
+      **Note: This section is a work in progress and is not yet complete.**
+
+   +------------------------+------------------------+------------------------+------------------------+
+   | Variable               | Type                   | Description            | Introduced in version  |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``BUILD_OPT``          | Boolean                | Do an optimized (not   | Before 3.0             |
+   |                        | (1 to enable)          | DEBUG) build. Default  |                        |
+   |                        |                        | is to do a DEBUG       |                        |
+   |                        |                        | build.                 |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``MOZ_DEBUG_SYMBOLS``  | Boolean                | Needed on Windows to   | 3.11                   |
+   |                        | (1 to enable)          | build with versions of |                        |
+   |                        |                        | MSVC (such as VC8 and  |                        |
+   |                        |                        | VC9) that do not       |                        |
+   |                        |                        | understand /PDB:NONE   |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``MOZ_DEBUG_FLAGS``    | String                 | When                   | 3.12.8                 |
+   |                        |                        | ``MOZ_DEBUG_SYMBOLS``  |                        |
+   |                        |                        | is set, you may use    |                        |
+   |                        |                        | ``MOZ_DEBUG_FLAGS`` to |                        |
+   |                        |                        | specify alternative    |                        |
+   |                        |                        | compiler flags to      |                        |
+   |                        |                        | produce symbolic       |                        |
+   |                        |                        | debugging information  |                        |
+   |                        |                        | in a particular        |                        |
+   |                        |                        | format.                |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSDISTMODE``         | String                 | On operating systems   | Before 3.0             |
+   |                        |                        | other than Windows,    |                        |
+   |                        |                        | this controls whether  |                        |
+   |                        |                        | copies, absolute       |                        |
+   |                        |                        | symlinks, or relative  |                        |
+   |                        |                        | symlinks of the output |                        |
+   |                        |                        | files should be        |                        |
+   |                        |                        | published to           |                        |
+   |                        |                        | mozilla/dist. The      |                        |
+   |                        |                        | possible values are:   |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | -  copy: copies of     |                        |
+   |                        |                        |    files are published |                        |
+   |                        |                        | -  absolute_symlink:   |                        |
+   |                        |                        |    symlinks whose      |                        |
+   |                        |                        |    targets are         |                        |
+   |                        |                        |    absolute pathnames  |                        |
+   |                        |                        |    are published       |                        |
+   |                        |                        |                        |                        |
+   |                        |                        | If not specified,      |                        |
+   |                        |                        | default to relative    |                        |
+   |                        |                        | symlinks (symlinks     |                        |
+   |                        |                        | whose targets are      |                        |
+   |                        |                        | relative pathnames).   |                        |
+   |                        |                        | On Windows, copies of  |                        |
+   |                        |                        | files are always       |                        |
+   |                        |                        | published.             |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NS_USE_GCC``         | Boolean                | On systems where GCC   | Before 3.0             |
+   |                        | (1 to enable)          | is not the default     |                        |
+   |                        |                        | compiler, this tells   |                        |
+   |                        |                        | NSS to build with gcc. |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | `N                     | Boolean                | Enable NSS support in  | 3.24                   |
+   | SS_ALLOW_SSLKEYLOGFILE | (1 to enable)          | optimized builds for   |                        |
+   |  <https://dxr.mozilla. |                        | logging SSL/TLS key    |                        |
+   | org/nss/search?q=NSS_A |                        | material to a logfile  |                        |
+   | LLOW_SSLKEYLOGFILE>`__ |                        | if the SSLKEYLOGFILE   |                        |
+   |                        |                        | environment variable.  |                        |
+   |                        |                        | As of NSS 3.24 this is |                        |
+   |                        |                        | disabled by default.   |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_BUI              | Boolean                | Continue building NSS  | 3.12.4                 |
+   | LD_CONTINUE_ON_ERROR`` | (1 to enable)          | source directories     |                        |
+   |                        |                        | when a build error     |                        |
+   |                        |                        | occurs.                |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``N                    | Boolean                | Use the system         | 3.12.6                 |
+   | SS_USE_SYSTEM_SQLITE`` | (1 to enable)          | installed sqlite       |                        |
+   |                        |                        | library instead of the |                        |
+   |                        |                        | in-tree version.       |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_DISA             | Boolean                | Disable Elliptic Curve | 3.16                   |
+   | BLE_ECC (deprecated)`` | (1 to disable)         | Cryptography features. |                        |
+   |                        |                        | As of NSS 3.16, ECC    |                        |
+   |                        |                        | features are enabled   |                        |
+   |                        |                        | by default. As of NSS  |                        |
+   |                        |                        | 3.33 this variable has |                        |
+   |                        |                        | no effect.             |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``NSS_ENA              | Boolean                | Enable building of     | Before 3.16; since     |
+   | BLE_ECC (deprecated)`` | (1 to enable)          | code that uses         | 3.11.                  |
+   |                        |                        | Elliptic Curve         |                        |
+   |                        |                        | Cryptography. Unused   |                        |
+   |                        |                        | as of NSS 3.16; see    |                        |
+   |                        |                        | NSS_DISABLE_ECC.       |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ```NSS_FOR             | | Boolean              | Allows enabling FIPS   | 3.24                   |
+   | CE_FIPS`` <https://dxr | | (1 to enable)        | mode using             |                        |
+   | .mozilla.org/nss/searc |                        | ``NSS_FIPS``           |                        |
+   | h?q=NSS_FORCE_FIPS>`__ |                        |                        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``OS_TARGET``          | String                 | For cross-compilation  | Before 3.0             |
+   |                        | (target OS)            | environments only,     |                        |
+   |                        |                        | when the target OS is  |                        |
+   |                        |                        | not the default for    |                        |
+   |                        |                        | the system on which    |                        |
+   |                        |                        | the build is           |                        |
+   |                        |                        | performed.             |                        |
+   |                        |                        | Values understood:     |                        |
+   |                        |                        | WIN95                  |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``USE_64``             | Boolean                | On platforms that has  | Before 3.0             |
+   |                        | (1 to enable)          | separate 32-bit and    |                        |
+   |                        |                        | 64-bit ABIs, NSS       |                        |
+   |                        |                        | builds for the 32-bit  |                        |
+   |                        |                        | ABI by default. This   |                        |
+   |                        |                        | tells NSS to build for |                        |
+   |                        |                        | the 64-bit ABI.        |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``USE_DEBUG_RTL``      | Boolean                | On Windows, MSVC has   | Before 3.0             |
+   |                        | (1 to enable)          | options to build with  |                        |
+   |                        |                        | a normal Run Time      |                        |
+   |                        |                        | Library or a debug Run |                        |
+   |                        |                        | Time Library. This     |                        |
+   |                        |                        | tells NSS to build     |                        |
+   |                        |                        | with the Debug Run     |                        |
+   |                        |                        | Time Library.          |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``USE_PTHREADS``       | Boolean                | On platforms where     | Before 3.0             |
+   |                        | (1 to enable)          | POSIX threads are      |                        |
+   |                        |                        | available, but are not |                        |
+   |                        |                        | the OS'es preferred    |                        |
+   |                        |                        | threads library, this  |                        |
+   |                        |                        | tells NSS and NSPR to  |                        |
+   |                        |                        | build using pthreads.  |                        |
+   +------------------------+------------------------+------------------------+------------------------+
+   | ``                     | String                 | Disables at            | Before 3.15            |
+   | NSS_NO_PKCS11_BYPASS`` | (1 to enable)          | compile-time the NS    |                        |
+   |                        |                        | ssl code to bypass the |                        |
+   |                        |                        | pkcs11 layer. When set |                        |
+   |                        |                        | the SSLBYPASS run-time |                        |
+   |                        |                        | variable won't take    |                        |
+   |                        |                        | effect                 |                        |
+   +------------------------+------------------------+------------------------+------------------------+
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_functions/index.rst b/security/nss/doc/rst/legacy/reference/nss_functions/index.rst
new file mode 100644
index 0000000000..6793f765b8
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_functions/index.rst
@@ -0,0 +1,105 @@
+.. _mozilla_projects_nss_reference_nss_functions:
+
+NSS functions
+=============
+
+.. container::
+
+   This page lists all exported functions in NSS 3.11.7 It was ported from
+   `here <http://www-archive.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html>`__.
+
+   This is a `composite page <http://meta.wikimedia.org/wiki/Help:Template#Composite_pages>`__.
+   Section headings are links to the individual pages where you can edit them.
+
+   Keywords:
+
+   -  Deprecated - function should no longer be used.
+   -  Updated - function has new arguments such as new flag or addition to structure.
+
+.. _ssl_functions:
+
+`SSL functions <#ssl_functions>`__
+----------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/SSL_functions")}}
+
+.. _deprecated_ssl_functions:
+
+`Deprecated SSL functions <#deprecated_ssl_functions>`__
+--------------------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/Deprecated_SSL_functions")}}
+
+.. _certificate_functions:
+
+`Certificate functions <#certificate_functions>`__
+--------------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/Certificate_functions")}}
+
+.. _cryptography_functions:
+
+`Cryptography functions <#cryptography_functions>`__
+----------------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/Cryptography_functions")}}
+
+.. _utility_functions:
+
+`Utility functions <#utility_functions>`__
+------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/Utility_functions")}}
+
+.. _s.2fmime_functions:
+
+`S/MIME functions <#s.2fmime_functions>`__
+------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/S//MIME_functions")}}
+
+.. _pkcs_.237_functions:
+
+`PKCS #7 functions <#pkcs_.237_functions>`__
+--------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/PKCS_7_functions")}}
+
+.. _pkcs_.2312_functions:
+
+`PKCS #12 functions <#pkcs_.2312_functions>`__
+----------------------------------------------
+
+.. container::
+
+   .. container::
+
+      {{page("/en-US/docs/NSS/PKCS_12_functions")}}
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_initialize/index.rst b/security/nss/doc/rst/legacy/reference/nss_initialize/index.rst
new file mode 100644
index 0000000000..f316e507e4
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_initialize/index.rst
@@ -0,0 +1,113 @@
+.. _mozilla_projects_nss_reference_nss_initialize:
+
+NSS_Initialize
+==============
+
+`Name <#name>`__
+~~~~~~~~~~~~~~~~
+
+.. container::
+
+   NSS_Initialize - initialize NSS.
+
+`Syntax <#syntax>`__
+~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      SECStatus NSS_Initialize(const char *configdir,
+                               const char *certPrefix,
+                               const char *keyPrefix,
+                               const char *secmodName,
+                               PRUint32 flags);
+
+`Parameters <#parameters>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSS_Initialize`` has five parameters:
+
+   ``configdir``
+      [in] the directory where the certificate, key, and module databases live. To-do: document the
+      "sql:" prefix.
+   ``certPrefix``
+      [in] prefix added to the beginning of the certificate database, for example, "https-server1-".
+   ``keyPrefix``
+      [in] prefix added to the beginning of the key database, for example, "https-server1-".
+   ``secmodName``
+      [in] name of the security module database, usually "secmod.db".
+   ``flags``
+      [in] bit flags that specify how NSS should be initialized.
+
+`Description <#description>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSS_Initialize`` initializes NSS. It is more flexible than ``NSS_Init``, ``NSS_InitReadWrite``,
+   and ``NSS_NoDB_Init``. If any of those simpler NSS initialization functions suffices for your
+   needs, call that instead.
+
+   The ``flags`` parameter is a bitwise OR of the following flags:
+
+   -  NSS_INIT_READONLY - Open the databases read only.
+   -  NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just initialize the volatile certdb.
+   -  NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the  PKCS #11 module.
+   -  NSS_INIT_FORCEOPEN - Continue to force initializations even if the databases cannot be opened.
+   -  NSS_INIT_NOROOTINIT - Don't try to look for the root certs module automatically.
+   -  NSS_INIT_OPTIMIZESPACE - Optimize for space instead of speed. Use smaller tables and caches.
+   -  NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are thread-safe, i.e., that support
+      locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe,
+      don't serialize its calls; just don't load it instead. This is necessary if another piece of
+      code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for
+      example, the Java SunPKCS11 provider.
+   -  NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11
+      modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS
+      is accessing without going through NSS, for example, Java SunPKCS11 provider.
+   -  NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any PKCS#11 module. This may be necessary
+      in order to ensure continuous operation and proper shutdown sequence if another piece of code
+      is using the same PKCS#11 modules that NSS is accessing without going through NSS, for
+      example, Java SunPKCS11 provider. The following limitation applies when this is set
+      : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need
+      for C_Finalize. This call will be emulated instead.
+   -  NSS_INIT_RESERVED - Currently has no effect, but may be used in the future to trigger better
+      cooperation between PKCS#11 modules used by both NSS and the Java SunPKCS11 provider. This
+      should occur after a new flag is defined for C_Initialize by the PKCS#11 working group.
+   -  NSS_INIT_COOPERATE - Sets the above four recommended options for applications that use both
+      NSS and the Java SunPKCS11 provider.
+
+.. _return_value:
+
+`Return value <#return_value>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   ``NSS_Initialize`` returns SECSuccess on success, or SECFailure on failure.
+
+`Examples <#examples>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   .. code::
+
+      #include <nss.h>
+
+      SECStatus rv;
+      const char *configdir;
+
+      configdir = ...;  /* application-specific */
+      rv = NSS_Initialize(configdir, "", "", SECMOD_DB, NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE);
+
+.. _see_also:
+
+`See also <#see_also>`__
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  NSS_Init, NSS_InitReadWrite, NSS_NoDB_Init, NSS_Shutdown
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst b/security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst
new file mode 100644
index 0000000000..5c894bd65b
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst
@@ -0,0 +1,60 @@
+.. _mozilla_projects_nss_reference_nss_key_functions:
+
+NSS Key Functions
+=================
+
+.. container::
+
+   This chapter describes two functions used to manipulate private keys and key databases such as
+   the key3.db database provided with NSS. This was converted from `"Chapter 6: Key
+   Functions" <https://developer.mozilla.org/en-US/docs/NSS/SSL_functions/sslkey.html>`__.
+
+   -  :ref:`mozilla_projects_nss_reference`
+   -  `SECKEY_GetDefaultKeyDB <#seckey_getdefaultkeydb>`__
+   -  `SECKEY_DestroyPrivateKey <#seckey_destroyprivatekey>`__
+
+   .. rubric:: SECKEY_GetDefaultKeyDB
+      :name: seckey_getdefaultkeydb
+
+   Returns a handle to the default key database opened by NSS_Init.
+
+   Syntax
+
+   #. include <key.h>
+   #. include <keyt.h>
+
+   SECKEYKeyDBHandle \*SECKEY_GetDefaultKeyDB(void);
+
+   Returns The function returns a handle of type SECKEYKeyDBHandle.
+
+   Description NSS_Init opens the certificate, key, and security module databases that you specify
+   for use with NSS. SECKEYKeyDBHandle returns a handle to the key database opened by NSS_Init.
+
+   .. rubric:: SECKEY_DestroyPrivateKey
+      :name: seckey_destroyprivatekey
+
+   Destroys a private key structure.
+
+   Syntax
+
+   #. include <key.h>
+   #. include <keyt.h>
+
+   void SECKEY_DestroyPrivateKey(SECKEYPrivateKey \*key);
+
+   Parameter This function has the following parameter:
+
+   key
+
+   A pointer to the private key structure to destroy.
+
+   Description Certificate and key structures are shared objects. When an application makes a copy
+   of a particular certificate or key structure that already exists in memory, SSL makes a shallow
+   copy--that is, it increments the reference count for that object rather than making a whole new
+   copy. When you call CERT_DestroyCertificate or SECKEY_DestroyPrivateKey, the function decrements
+   the reference count and, if the reference count reaches zero as a result, both frees the memory
+   and sets all the bits to zero. The use of the word "destroy" in function names or in the
+   description of a function implies reference counting.
+
+   Never alter the contents of a certificate or key structure. If you attempt to do so, the change
+   affects all the shallow copies of that structure and can cause severe problems.
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools/index.rst
new file mode 100644
index 0000000000..f439847286
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools/index.rst
@@ -0,0 +1,26 @@
+.. _mozilla_projects_nss_reference_nss_tools:
+
+NSS Tools Man Pages - work in progress
+======================================
+
+.. container::
+
+   certutil :ref:`mozilla_projects_nss_reference_nss_tools_:_certutil`
+
+   pk12util :ref:`mozilla_projects_nss_reference_nss_tools_:_pk12util`
+
+   modutil :ref:`mozilla_projects_nss_reference_nss_tools_:_modutil`
+
+   crlutil :ref:`mozilla_projects_nss_reference_nss_tools_:_crlutil`
+
+   cmsutil :ref:`mozilla_projects_nss_reference_nss_tools_:_cmsutil`
+
+   vfychain :ref:`mozilla_projects_nss_reference_nss_tools_:_vfychain`
+
+   vfyserv :ref:`mozilla_projects_nss_reference_nss_tools_:_vfyserv`
+
+   ssltap :ref:`mozilla_projects_nss_reference_nss_tools_:_ssltab`
+
+   This is still a work in progress and in early stages. 
+
+   These man pages where generated from XML docbook files.
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst
new file mode 100644
index 0000000000..134cce4e3c
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst
@@ -0,0 +1,845 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_certutil:
+
+NSS tools : certutil
+====================
+
+.. container::
+
+   | Name
+   |    certutil — Manage keys and certificate in both NSS databases and other NSS tokens
+   | Synopsis
+   |    certutil [options] [[arguments]]
+   | Description
+   |    The Certificate Database Tool, certutil, is a command-line utility
+   |    that can create and modify certificate and key databases.
+   |    It can specifically list, generate, modify, or delete certificates, create or
+   |    change the password, generate new public and private key pairs,
+   |    display the contents of the key database, or delete key pairs within  the key database.
+   |    Certificate issuance, part of the key and certificate management process, requires that
+   |    keys and certificates be created in the key database. This document discusses certificate
+   |    and key database management. For information on the  security module database management,
+   |    see the modutil manpage.
+   | Options and Arguments
+   |    Running certutil always requires one and only one command option to
+   |    specify the type of certificate operation. Each option may take arguments,
+   |    anywhere from none to multiple arguments. The command option -H will list
+   |    all the command options available and their relevant arguments.
+   |    Command Options
+   |    -A
+   |           Add an existing certificate to a certificate database.
+   |           The certificate database should already exist; if one is
+   |           not present, this command option will initialize one by default.
+   |    -B
+   |           Run a series of commands from the specified batch file.
+   |           This requires the -i argument.
+   |    -C
+   |           Create a new binary certificate file from a binary
+   |           certificate request file. Use the -i argument to specify
+   |           the certificate request file. If this argument is not
+   |           used, certutil prompts for a filename.
+   |    -D
+   |           Delete a certificate from the certificate database.
+
+   |   --rename
+   |          Change the database nickname of a certificate.
+
+   |
+   |    -E
+   |           Add an email certificate to the certificate database.
+   |    -F
+   |           Delete a private key from a key database. Specify the
+   |           key to delete with the -n argument. Specify the database
+   |           from which to delete the key with the -d argument. Use
+   |           the -k argument to specify explicitly whether to delete
+   |           a DSA, RSA, or ECC key. If you don't use the -k
+   |           argument, the option looks for an RSA key matching the
+   |           specified nickname.
+   |           When you delete keys, be sure to also remove any
+   |           certificates associated with those keys from the
+   |           certificate database, by using -D. Some smart cards (for
+   |           example, the Litronic card) do not let you remove a
+   |           public key you have generated. In such a case, only the
+   |           private key is deleted from the key pair. You can
+   |           display the public key with the command certutil -K -h
+   |           tokenname.
+   |    -G
+   |           Generate a new public and private key pair within a key
+   |           database. The key database should already exist; if one
+   |           is not present, this option will initialize one by
+   |           default. Some smart cards (for example, the Litronic
+   |           card) can store only one key pair. If you create a new
+   |           key pair for such a card, the previous pair is
+   |           overwritten.
+   |    -H
+   |           Display a list of the options and arguments used by the
+   |           Certificate Database Tool.
+   |    -K
+   |           List the key ID of keys in the key database. A key ID is
+   |           the modulus of the RSA key or the publicValue of the DSA
+   |           key. IDs are displayed in hexadecimal ("0x" is not
+   |           shown).
+   |    -L
+   |           List all the certificates, or display information about
+   |           a named certificate, in a certificate database. Use the
+   |           -h tokenname argument to specify the certificate
+   |           database on a particular hardware or software token.
+   |    -M
+   |           Modify a certificate's trust attributes using the values
+   |           of the -t argument.
+   |    -N
+   |           Create new certificate and key databases.
+   |    -O
+   |           Print the certificate chain.
+   |    -R
+   |           Create a certificate request file that can be submitted
+   |           to a Certificate Authority (CA) for processing into a
+   |           finished certificate. Output defaults to standard out
+   |           unless you use -o output-file argument. Use the -a
+   |           argument to specify ASCII output.
+   |    -S
+   |           Create an individual certificate and add it to a
+   |           certificate database.
+   |    -T
+   |           Reset the key database or token.
+   |    -U
+   |           List all available modules or print a single named
+   |           module.
+   |    -V
+   |           Check the validity of a certificate and its attributes.
+   |    -W
+   |           Change the password to a key database.
+   |    --merge
+   |           Merge two databases into one.
+   |    --upgrade-merge
+   |           Upgrade an old database and merge it into a new
+   |           database. This is used to migrate legacy NSS databases
+   |           (cert8.db and key3.db) into the newer SQLite databases
+   |           (cert9.db and key4.db).
+   |    Arguments
+   |    Arguments modify a command option and are usually lower case, numbers, or symbols.
+   |    -a
+   |           Use ASCII format or allow the use of ASCII format for
+   |           input or output. This formatting follows RFC 1113. For
+   |           certificate requests, ASCII output defaults to standard
+   |           output unless redirected.
+   |    -b validity-time
+   |           Specify a time at which a certificate is required to be
+   |           valid. Use when checking certificate validity with the
+   |           -V option. The format of the validity-time argument is
+   |           YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be
+   |           set relative to the validity end time. Specifying
+   |           seconds (SS) is optional. When specifying an explicit
+   |           time, use a Z at the end of the term, YYMMDDHHMMSSZ, to
+   |           close it. When specifying an offset time, use
+   |           YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or
+   |           subtracting time, respectively.
+   |           If this option is not used, the validity check defaults
+   |           to the current system time.
+   |    -c issuer
+   |           Identify the certificate of the CA from which a new
+   |           certificate will derive its authenticity. Use the exact
+   |           nickname or alias of the CA certificate, or use the CA's
+   |           email address. Bracket the issuer string with quotation
+   |           marks if it contains spaces.
+   |    -d [prefix]directory
+   |           Specify the database directory containing the
+   |           certificate and key database files.
+   |           certutil supports two types of databases: the legacy
+   |           security databases (cert8.db, key3.db, and secmod.db)
+   |           and new SQLite databases (cert9.db, key4.db, and
+   |           pkcs11.txt).
+
+              NSS recognizes the following prefixes:
+
+              ·   sql: requests the newer database
+
+              ·   dbm: requests the legacy database
+
+   |            If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If
+     NSS_DEFAULT_DB_TYPE is not set
+   |            then dbm: is the default.
+
+   |     --dump-ext-val OID
+   |            For single cert, print binary DER encoding of extension OID.
+   |    -e
+   |           Check a certificate's signature during the process of
+   |           validating a certificate.
+
+   |        --email email-address
+   |            Specify the email address of a certificate to list. Used with the -L command option.
+
+   |        --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...
+   |            Add one or multiple extensions that certutil cannot encode yet, by loading their
+     encodings from external files.
+
+              ·   OID (example): 1.2.3.4
+
+              ·   critical-flag: critical or not-critical
+
+              ·   filename: full path to a file containing an encoded extension
+
+   |
+   |    -f password-file
+   |           Specify a file that will automatically supply the
+   |           password to include in a certificate or to access a
+   |           certificate database. This is a plain-text file
+   |           containing one password. Be sure to prevent unauthorized
+   |           access to this file.
+   |    -g keysize
+   |           Set a key size to use when generating new public and
+   |           private key pairs. The minimum is 512 bits and the
+   |           maximum is 16384 bits. The default is 2048 bits. Any size
+   |           between the minimum and maximum is allowed.
+   |    -h tokenname
+   |           Specify the name of a token to use or act on. Unless
+   |           specified otherwise the default token is an internal
+   |           slot.
+   |    -i input_file
+   |           Pass an input file to the command. Depending on the
+   |           command option, an input file can be a specific
+   |           certificate, a certificate request file, or a batch file
+   |           of commands.
+   |    -k rsa|dsa|ec|all
+   |           Specify the type of a key. The valid options are RSA,
+   |           DSA, ECC, or all. The default value is rsa. Specifying
+   |           the type of key can avoid mistakes caused by duplicate
+   |           nicknames.
+   |    -k key-type-or-id
+   |            Specify the type or specific ID of a key.
+
+   |            The valid key type options are rsa, dsa, ec, or all. The default value is rsa.
+     Specifying the type of key can avoid
+   |            mistakes caused by duplicate nicknames. Giving a key type generates a new key pair;
+     giving the ID of an existing key
+   |            reuses that key pair (which is required to renew certificates).
+   |    -l
+   |           Display detailed information when validating a
+   |           certificate with the -V option.
+   |    -m serial-number
+   |           Assign a unique serial number to a certificate being created. This operation should
+     be performed by a CA. If no
+   |            serial number is provided a default serial number is made from the current time.
+     Serial numbers are limited to
+   |            integers.
+   |    -n nickname
+   |           Specify the nickname of a certificate or key to list,
+   |           create, add to a database, modify, or validate. Bracket
+   |           the nickname string with quotation marks if it contains
+   |           spaces.
+   |    -o output-file
+   |           Specify the output file name for new certificates or
+   |           binary certificate requests. Bracket the output-file
+   |           string with quotation marks if it contains spaces. If
+   |           this argument is not used the output destination
+   |           defaults to standard output.
+   |    -P dbPrefix
+   |           Specify the prefix used on the certificate and key
+   |           database file. This argument is provided to support
+   |           legacy servers. Most applications do not use a database prefix.
+   |    -p phone
+   |           Specify a contact telephone number to include in new
+   |           certificates or certificate requests. Bracket this
+   |           string with quotation marks if it contains spaces.
+   |    -q pqgfile or curve-name
+   |            Read an alternate PQG value from the specified file when generating DSA key pairs.
+   |            If this argument is not used,certutil generates its own PQG value. PQG files are
+     created with a separate DSA utility.
+
+              Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521
+
+   |            If NSS has been compiled with support curves outside of SUITE B: sect163k1,
+     nistk163, sect163r1, sect163r2, nistb163,
+   |            sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1,
+     sect283k1, nistk283, sect283r1, nistb283,
+   |            sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571,
+     secp160k1, secp160r1, secp160r2,
+   |            secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1,
+     secp256r1, secp384r1, secp521r1,
+   |            prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1,
+     c2pnb163v2, c2pnb163v3,
+   |            c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2,
+     c2tnb239v3, c2pnb272w1,
+   |            c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1,
+     secp128r2, sect113r1, sect113r2
+   |            sect131r1, sect131r2
+
+   |
+   |    -r
+   |           Display a certificate's binary DER encoding when listing
+   |           information about that certificate with the -L option.
+   |    -s subject
+   |           Identify a particular certificate owner for new
+   |           certificates or certificate requests. Bracket this
+   |           string with quotation marks if it contains spaces. The
+   |           subject identification format follows RFC #1485.
+   |    -t trustargs
+   |           Specify the trust attributes to modify in an existing
+   |           certificate or to apply to a certificate when creating
+   |           it or adding it to a database. There are three available
+   |           trust categories for each certificate, expressed in the
+   |           order SSL, email, object signing for each trust setting.
+   |           In each category position, use none, any, or all of the
+   |           attribute codes:
+   |           + p - Valid peer
+   |           + P - Trusted peer (implies p)
+   |           + c - Valid CA
+   |           + T - Trusted CA to issue client certificates (implies
+   |             c)
+   |           + C - Trusted CA to issue server certificates (SSL only)
+   |             (implies c)
+   |           + u - Certificate can be used for authentication or
+   |             signing
+   |           + w - Send warning (use with other attributes to include
+   |             a warning when the certificate is used in that
+   |             context)
+   |           The attribute codes for the categories are separated by
+   |           commas, and the entire set of attributes enclosed by
+   |           quotation marks. For example:
+   |           -t "TC,C,T"
+   |           Use the -L option to see a list of the current
+   |           certificates and trust attributes in a certificate
+   |           database.
+
+   |            Note that the output of the -L option may include "u" flag, which means that there
+     is a private key associated with
+   |            the certificate. It is a dynamic flag and you cannot set it with certutil.
+   |    -u certusage
+   |           Specify a usage context to apply when validating a
+   |           certificate with the -V option.
+   |           The contexts are the following:
+
+              ·   C (as an SSL client)
+
+              ·   V (as an SSL server)
+
+              ·   L (as an SSL CA)
+
+              ·   A (as Any CA)
+
+              ·   Y (Verify CA)
+
+              ·   S (as an email signer)
+
+              ·   R (as an email recipient)
+
+              ·   O (as an OCSP status responder)
+
+              ·   J (as an object signer)
+
+   |
+   |    -v valid-months
+   |           Set the number of months a new certificate will be
+   |           valid. The validity period begins at the current system
+   |           time unless an offset is added or subtracted with the -w
+   |           option. If this argument is not used, the default
+   |           validity period is three months. When this argument is
+   |           used, the default three-month period is automatically
+   |           added to any value given in the valid-month argument.
+   |           For example, using this option to set a value of 3 would
+   |           cause 3 to be added to the three-month default, creating
+   |           a validity period of six months. You can use negative
+   |           values to reduce the default period. For example,
+   |           setting a value of -2 would subtract 2 from the default
+   |           and create a validity period of one month.
+   |    -w offset-months
+   |           Set an offset from the current system time, in months,
+   |           for the beginning of a certificate's validity period.
+   |           Use when creating the certificate or adding it to a
+   |           database. Express the offset in integers, using a minus
+   |           sign (-) to indicate a negative offset. If this argument
+   |           is not used, the validity period begins at the current
+   |           system time. The length of the validity period is set
+   |           with the -v argument.
+   |    -X
+   |           Force the key and certificate database to open in
+   |           read-write mode. This is used with the -U and -L command
+   |           options.
+   |    -x
+   |           Use certutil to generate the signature for a certificate
+   |           being created or added to a database, rather than
+   |           obtaining a signature from a separate CA.
+   |    -y exp
+   |           Set an alternate exponent value to use in generating a
+   |           new RSA public key for the database, instead of the
+   |           default value of 65537. The available alternate values
+   |           are 3 and 17.
+   |    -z noise-file
+   |           Read a seed value from the specified file to generate a
+   |           new private and public key pair. This argument makes it
+   |           possible to use hardware-generated seed values or
+   |           manually create a value from the keyboard. The minimum
+   |           file size is 20 bytes.
+   |    -0 SSO_password
+   |           Set a site security officer password on a token.
+   |    -1 \| --keyUsage keyword,keyword
+   |           Set a Netscape Certificate Type Extension in the
+   |           certificate. There are several available keywords:
+   |           + digital signature
+   |           + nonRepudiation
+   |           + keyEncipherment
+   |           + dataEncipherment
+   |           + keyAgreement
+   |           + certSigning
+   |           + crlSigning
+   |           + critical
+   |    -2
+   |           Add a basic constraint extension to a certificate that
+   |           is being created or added to a database. This extension
+   |           supports the certificate chain verification process.
+   |           certutil prompts for the certificate constraint
+   |           extension to select.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    -3
+   |           Add an authority key ID extension to a certificate that
+   |           is being created or added to a database. This extension
+   |           supports the identification of a particular certificate,
+   |           from among multiple certificates associated with one
+   |           subject name, as the correct issuer of a certificate.
+   |           The Certificate Database Tool will prompt you to select
+   |           the authority key ID extension.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    -4
+   |           Add a CRL distribution point extension to a certificate
+   |           that is being created or added to a database. This
+   |           extension identifies the URL of a certificate's
+   |           associated certificate revocation list (CRL). certutil
+   |           prompts for the URL.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    -5 \| --nsCertType keyword,keyword
+   |           Add a Netscape certificate type extension to a
+   |           certificate that is being created or added to the
+   |           database. There are several available keywords:
+   |           + sslClient
+   |           + sslServer
+   |           + smime
+   |           + objectSigning
+   |           + sslCA
+   |           + smimeCA
+   |           + objectSigningCA
+   |           + critical
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    -6 \| --extKeyUsage keyword,keyword
+   |           Add an extended key usage extension to a certificate
+   |           that is being created or added to the database. Several
+   |           keywords are available:
+   |           + serverAuth
+   |           + clientAuth
+   |           + codeSigning
+   |           + emailProtection
+   |           + timeStamp
+   |           + ocspResponder
+   |           + stepUp
+   |           + critical
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    -7 emailAddrs
+   |           Add a comma-separated list of email addresses to the
+   |           subject alternative name extension of a certificate or
+   |           certificate request that is being created or added to
+   |           the database. Subject alternative name extensions are
+   |           described in Section 4.2.1.7 of RFC 3280.
+   |    -8 dns-names
+   |           Add a comma-separated list of DNS names to the subject
+   |           alternative name extension of a certificate or
+   |           certificate request that is being created or added to
+   |           the database. Subject alternative name extensions are
+   |           described in Section 4.2.1.7 of RFC 3280.
+   |    --extAIA
+   |           Add the Authority Information Access extension to the
+   |           certificate. X.509 certificate extensions are described
+   |           in RFC 5280.
+   |    --extSIA
+   |           Add the Subject Information Access extension to the
+   |           certificate. X.509 certificate extensions are described
+   |           in RFC 5280.
+   |    --extCP
+   |           Add the Certificate Policies extension to the
+   |           certificate. X.509 certificate extensions are described
+   |           in RFC 5280.
+   |    --extPM
+   |           Add the Policy Mappings extension to the certificate.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    --extPC
+   |           Add the Policy Constraints extension to the certificate.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    --extIA
+   |           Add the Inhibit Any Policy Access extension to the
+   |           certificate. X.509 certificate extensions are described
+   |           in RFC 5280.
+   |    --extSKID
+   |           Add the Subject Key ID extension to the certificate.
+   |           X.509 certificate extensions are described in RFC 5280.
+   |    --source-dir certdir
+   |           Identify the certificate database directory to upgrade.
+   |    --source-prefix certdir
+   |           Give the prefix of the certificate and key databases to
+   |           upgrade.
+   |    --upgrade-id uniqueID
+   |           Give the unique ID of the database to upgrade.
+   |    --upgrade-token-name name
+   |           Set the name of the token to use while it is being
+   |           upgraded.
+   |    -@ pwfile
+   |           Give the name of a password file to use for the database
+   |           being upgraded.
+   | Usage and Examples
+   |    Most of the command options in the examples listed here have
+   |    more arguments available. The arguments included in these
+   |    examples are the most common ones or are used to illustrate a
+   |    specific scenario. Use the -H option to show the complete list
+   |    of arguments for each command option.
+   |    Creating New Security Databases
+   |    Certificates, keys, and security modules related to managing
+   |    certificates are stored in three related databases:
+   |      \* cert8.db or cert9.db
+   |      \* key3.db or key4.db
+   |      \* secmod.db or pkcs11.txt
+   |    These databases must be created before certificates or keys can
+   |    be generated.
+   | certutil -N -d [sql:]directory
+   |    Creating a Certificate Request
+   |    A certificate request contains most or all of the information
+   |    that is used to generate the final certificate. This request is
+   |    submitted separately to a certificate authority and is then
+   |    approved by some mechanism (automatically or by human review).
+   |    Once the request is approved, then the certificate is
+   |    generated.
+   | $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s s
+   | ubject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a
+   | ]
+   |    The -R command options requires four arguments:
+   |      \* -k to specify either the key type to generate or, when
+   |        renewing a certificate, the existing key pair to use
+   |      \* -g to set the keysize of the key to generate
+   |      \* -s to set the subject name of the certificate
+   |      \* -d to give the security database directory
+   |    The new certificate request can be output in ASCII format (-a)
+   |    or can be written to a specified file (-o).
+   |    For example:
+   | $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,
+   | L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-5
+   | 55-0123 -a -o cert.cer
+   | Generating key.  This may take a few moments...
+   | Certificate request generated by Netscape
+   | Phone: 650-555-0123
+   | Common Name: John Smith
+   | Email: (not ed)
+   | Organization: Example Corp
+   | State: California
+   | Country: US
+   | -----BEGIN NEW CERTIFICATE REQUEST-----
+   | MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
+   | MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
+   | EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
+   | KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
+   | CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
+   | qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
+   | 1hP9Gg==
+   | -----END NEW CERTIFICATE REQUEST-----
+   |    Creating a Certificate
+   |    A valid certificate must be issued by a trusted CA. This can be
+   |    done by specifying a CA certificate (-c) that is stored in the
+   |    certificate database. If a CA key pair is not available, you
+   |    can create a self-signed certificate using the -x argument with
+   |    the -S command option.
+   | $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t tr
+   | ustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offs
+   | et-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7
+   | emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [
+   | --extPC] [--extIA] [--extSKID]
+   |    The series of numbers and --ext\* options set certificate
+   |    extensions that can be added to the certificate when it is
+   |    generated by the CA.
+   |    For example, this creates a self-signed certificate:
+   | $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m
+   |  3650
+   |    From there, new certificates can reference the self-signed
+   |    certificate:
+   | $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -
+   | t "u,u,u" -1 -5 -6 -8 -m 730
+   |    Generating a Certificate from a Certificate Request
+   |    When a certificate request is created, a certificate can be
+   |    generated by using the request and then referencing a
+   |    certificate authority signing certificate (the issuer specified
+   |    in the -c argument). The issuing certificate must be in the
+   |    certificate database in the specified directory.
+   | certutil -C -c issuer -i cert-request-file -o output-file [-m serial-num
+   | ber] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [
+   | -3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]
+   |    For example:
+   | $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010
+   |  -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme
+   | nt -5 sslClient -6 clientAuth -7 jsmith@example.com
+   |    Generating Key Pairs
+   |    Key pairs are generated automatically with a certificate
+   |    request or certificate, but they can also be generated
+   |    independently using the -G command option.
+   | certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [-
+   | y exponent-value] -q pqgfile|curve-name
+   |    For example:
+   | $ certutil -G -h lunasa -k ec -g 256 -q sect193r2
+   |    Listing Certificates
+   |    The -L command option lists all of the certificates listed in
+   |    the certificate database. The path to the directory (-d) is
+   |    required.
+   | $ certutil -L -d sql:/home/my/sharednssdb
+   | Certificate Nickname                                         Trust Attri
+   | butes
+   |                                                              SSL,S/MIME,
+   | JAR/XPI
+   | CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
+   | TPS Administrator's Example Domain ID                        u,u,u
+   | Google Internet Authority                                    ,,
+   | Certificate Authority - Example Domain                       CT,C,C
+   |    Using additional arguments with -L can return and print the
+   |    information for a single, specific certificate. For example,
+   |    the -n argument passes the certificate name, while the -a
+   |    argument prints the certificate in ASCII format:
+   | $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority -
+   |  Example Domain"
+   | -----BEGIN CERTIFICATE-----
+   | MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
+   | cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
+   | MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
+   | b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
+   | hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
+   | Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
+   | RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
+   | udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
+   | bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
+   | 3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
+   | qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
+   | AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
+   | rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
+   | LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
+   | L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
+   | lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
+   | JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
+   | bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
+   | U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
+   | nI7q5n1USM3eWQlVXw==
+   | -----END CERTIFICATE-----
+   |    Listing Keys
+   |    Keys are the original material used to encrypt certificate
+   |    data. The keys generated for certificates are stored
+   |    separately, in the key database.
+   |    To list all keys in the database, use the -K command option and
+   |    the (required) -d argument to give the path to the directory.
+   | $ certutil -K -d sql:/home/my/sharednssdb
+   | certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
+   | Key and Certificate Services                  "
+   | < 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail
+   |  Member's Thawte Consulting (Pty) Ltd. ID
+   | < 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain
+   | Administrator Cert
+   | < 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user
+   |  cert
+   |    There are ways to narrow the keys listed in the search results:
+   |      \* To return a specific key, use the -n name argument with the
+   |        name of the key.
+   |      \* If there are multiple security devices loaded, then the -h
+   |        tokenname argument can search a specific token or all
+   |        tokens.
+   |      \* If there are multiple key types available, then the -k
+   |        key-type argument can search a specific type of key, like
+   |        RSA, DSA, or ECC.
+   |    Listing Security Modules
+   |    The devices that can be used to store certificates -- both
+   |    internal databases and external devices like smart cards -- are
+   |    recognized and used by loading security modules. The -U command
+   |    option lists all of the security modules listed in the
+   |    secmod.db database. The path to the directory (-d) is required.
+   | $ certutil -U -d sql:/home/my/sharednssdb
+   |     slot: NSS User Private Key and Certificate Services
+   |    token: NSS Certificate DB
+   |     slot: NSS Internal Cryptographic Services
+   |    token: NSS Generic Crypto Services
+   |    Adding Certificates to the Database
+   |    Existing certificates or certificate requests can be added
+   |    manually to the certificate database, even if they were
+   |    generated elsewhere. This uses the -A command option.
+   | certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-f
+   | ile]
+   |    For example:
+   | $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/shar
+   | ednssdb -i /home/example-certs/cert.cer
+   |    A related command option, -E, is used specifically to add email
+   |    certificates to the certificate database. The -E command has
+   |    the same arguments as the -A command. The trust arguments for
+   |    certificates have the format SSL,S/MIME,Code-signing, so the
+   |    middle trust settings relate most to email certificates (though
+   |    the others can be set). For example:
+   | $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sh
+   | arednssdb -i /home/example-certs/email.cer
+   |    Deleting Certificates to the Database
+   |    Certificates can be deleted from a database using the -D
+   |    option. The only required options are to give the security
+   |    database directory and to identify the certificate nickname.
+   | certutil -D -d [sql:]directory -n "nickname"
+   |    For example:
+   | $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"
+   |    Validating Certificates
+   |    A certificate contains an expiration date in itself, and
+   |    expired certificates are easily rejected. However, certificates
+   |    can also be revoked before they hit their expiration date.
+   |    Checking whether a certificate has been revoked requires
+   |    validating the certificate. Validation can also be used to
+   |    ensure that the certificate is only used for the purposes it
+   |    was initially issued for. Validation is carried out by the -V
+   |    command option.
+   | certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]
+   | directory
+   |    For example, to validate an email certificate:
+   | $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sha
+   | rednssdb
+   |    Modifying Certificate Trust Settings
+   |    The trust settings (which relate to the operations that a
+   |    certificate is allowed to be used for) can be changed after a
+   |    certificate is created or added to the database. This is
+   |    especially useful for CA certificates, but it can be performed
+   |    for any type of certificate.
+   | certutil -M -n certificate-name -t trust-args -d [sql:]directory
+   |    For example:
+   | $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu
+   | ,CTu,CTu"
+   |    Printing the Certificate Chain
+   |    Certificates can be issued in chains because every certificate
+   |    authority itself has a certificate; when a CA issues a
+   |    certificate, it essentially stamps that certificate with its
+   |    own fingerprint. The -O prints the full chain of a certificate,
+   |    going from the initial CA (the root CA) through ever
+   |    intermediary CA to the actual certificate. For example, for an
+   |    email certificate with two CAs in the chain:
+   | $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com"
+   | "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@
+   | thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Divi
+   | sion,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
+   |   "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P
+   | ersonal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
+   |     "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]
+   |    Resetting a Token
+   |    The device which stores certificates -- both external hardware
+   |    devices and internal software databases -- can be blanked and
+   |    reused. This operation is performed on the device which stores
+   |    the data, not directly on the security databases, so the
+   |    location must be referenced through the token name (-h) as well
+   |    as any directory path. If there is no external token used, the
+   |    default value is internal.
+   | certutil -T -d [sql:]directory -h token-name -0 security-officer-passwor
+   | d
+   |    Many networks have dedicated personnel who handle changes to
+   |    security tokens (the security officer). This person must supply
+   |    the password to access the specified token. For example:
+   | $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret
+   |    Upgrading or Merging the Security Databases
+   |    Many networks or applications may be using older BerkeleyDB
+   |    versions of the certificate database (cert8.db). Databases can
+   |    be upgraded to the new SQLite version of the database
+   |    (cert9.db) using the --upgrade-merge command option or existing
+   |    databases can be merged with the new cert9.db databases using
+   |    the ---merge command.
+   |    The --upgrade-merge command must give information about the
+   |    original database and then use the standard arguments (like -d)
+   |    to give the information about the new databases. The command
+   |    also requires information that the tool uses for the process to
+   |    upgrade and write over the original database.
+   | certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir d
+   | irectory --source-prefix dbprefix --upgrade-id id --upgrade-token-name n
+   | ame [-@ password-file]
+   |    For example:
+   | $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt
+   | /my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token
+   | -name internal
+   |    The --merge command only requires information about the
+   |    location of the original database; since it doesn't change the
+   |    format of the database, it can write over information without
+   |    performing interim step.
+   | certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory
+   |  --source-prefix dbprefix [-@ password-file]
+   |    For example:
+   | $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/
+   | alias/ --source-prefix serverapp-
+   |    Running certutil Commands from a Batch File
+   |    A series of commands can be run sequentially from a text file
+   |    with the -B command option. The only argument for this
+   |    specifies the input file.
+   | $ certutil -B -i /path/to/batch-file
+   | NSS Database Types
+   |    NSS originally used BerkeleyDB databases to store security
+   |    information. The last versions of these legacy databases are:
+   |      \* cert8.db for certificates
+   |      \* key3.db for keys
+   |      \* secmod.db for PKCS #11 module information
+   |    BerkeleyDB has performance limitations, though, which prevent
+   |    it from being easily used by multiple applications
+   |    simultaneously. NSS has some flexibility that allows
+   |    applications to use their own, independent database engine
+   |    while keeping a shared database and working around the access
+   |    issues. Still, NSS requires more flexibility to provide a truly
+   |    shared security database.
+   |    In 2009, NSS introduced a new set of databases that are SQLite
+   |    databases rather than BerkleyDB. These new databases provide
+   |    more accessibility and performance:
+   |      \* cert9.db for certificates
+   |      \* key4.db for keys
+   |      \* pkcs11.txt, which is listing of all of the PKCS #11 modules
+   |        contained in a new subdirectory in the security databases
+   |        directory
+   |    Because the SQLite databases are designed to be shared, these
+   |    are the shared database type. The shared database type is
+   |    preferred; the legacy format is included for backward
+   |    compatibility.
+   |    By default, the tools (certutil, pk12util, modutil) assume that
+   |    the given security databases follow the more common legacy
+   |    type. Using the SQLite databases must be manually specified by
+   |    using the sql: prefix with the given security directory. For
+   |    example:
+   | $ certutil -L -d sql:/home/my/sharednssdb
+   |    To set the shared database type as the default type for the
+   |    tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:
+   | export NSS_DEFAULT_DB_TYPE="sql"
+   |    This line can be set added to the ~/.bashrc file to make the
+   |    change permanent.
+   |    Most applications do not use the shared database by default,
+   |    but they can be configured to use them. For example, this
+   |    how-to article covers how to configure Firefox and Thunderbird
+   |    to use the new shared NSS databases:
+   |      \* https://wiki.mozilla.org/NSS_Shared_DB_Howto
+   |    For an engineering draft on the changes in the shared NSS
+   |    databases, see the NSS project wiki:
+   |      \* https://wiki.mozilla.org/NSS_Shared_DB
+   | See Also
+   |    pk12util (1)
+   |    modutil (1)
+   |    certutil has arguments or operations that use features defined
+   |    in several IETF RFCs.
+   |      \* `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__
+   |      \* `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__
+   |      \* `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__
+   |    The NSS wiki has information on the new database design and how
+   |    to configure applications to use it.
+   |      \* https://wiki.mozilla.org/NSS_Shared_DB_Howto
+   |      \* https://wiki.mozilla.org/NSS_Shared_DB
+   | Additional Resources
+   |    For information about NSS and other tools related to NSS (like
+   |    JSS), check out the NSS project wiki at
+   |   
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site
+   |    relates directly to NSS code changes and releases.
+   |    Mailing lists:
+   |    https://lists.mozilla.org/listinfo/dev-tech-crypto
+   |    IRC: Freenode at #dogtag-pki
+   | Authors
+   |    The NSS tools were written and maintained by developers with
+   |    Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+   |    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   |    <dlackey@redhat.com>.
+
+   | LICENSE
+   |        Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not
+     distributed with this file, You can
+   |        obtain one at https://mozilla.org/MPL/2.0/.
+
+   | NOTES
+   |         1. Mozilla NSS bug 836477
+   |            https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst
new file mode 100644
index 0000000000..cf7509ffe3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst
@@ -0,0 +1,192 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_cmsutil:
+
+NSS tools : cmsutil
+===================
+
+.. container::
+
+   Name
+
+   | cmsutil — Performs basic cryptograpic operations, such as encryption and
+   | decryption, on Cryptographic Message Syntax (CMS) messages.
+
+   Synopsis
+
+   cmsutil [options] `arguments <arguments>`__
+
+   Description
+
+   | The cmsutil command-line uses the S/MIME Toolkit to perform basic
+   | operations, such as encryption and decryption, on Cryptographic Message
+   | Syntax (CMS) messages.
+
+   | To run cmsutil, type the command cmsutil option [arguments] where option
+   | and arguments are combinations of the options and arguments listed in the
+   | following section. Each command takes one option. Each option may take
+   | zero or more arguments. To see a usage string, issue the command without
+   | options.
+
+   Options and Arguments
+
+   Options
+
+   | Options specify an action. Option arguments modify an action. The options
+   | and arguments for the cmsutil command are defined as follows:
+
+   -D
+
+   Decode a message.
+
+   -C
+
+   Encrypt a message.
+
+   -E
+
+   Envelope a message.
+
+   -O
+
+   Create a certificates-only message.
+
+   -S
+
+   Sign a message.
+
+   Arguments
+
+   Option arguments modify an action and are lowercase.
+
+   -c content
+
+   Use this detached content (decode only).
+
+   -d dbdir
+
+   Specify the key/certificate database directory (default is ".")
+
+   -e envfile
+
+   | Specify a file containing an enveloped message for a set of
+   | recipients to which you would like to send an encrypted message.
+   | If this is the first encrypted message for that set of recipients,
+   | a new enveloped message will be created that you can then use for
+   | future messages (encrypt only).
+
+   -G
+
+   Include a signing time attribute (sign only).
+
+   -h num
+
+   Generate email headers with info about CMS message (decode only).
+
+   -i infile
+
+   Use infile as a source of data (default is stdin).
+
+   -N nickname
+
+   Specify nickname of certificate to sign with (sign only).
+
+   -n
+
+   Suppress output of contents (decode only).
+
+   -o outfile
+
+   Use outfile as a destination of data (default is stdout).
+
+   -P
+
+   Include an S/MIME capabilities attribute.
+
+   -p password
+
+   Use password as key database password.
+
+   -r recipient1,recipient2, ...
+
+   | Specify list of recipients (email addresses) for an encrypted or
+   | enveloped message. For certificates-only message, list of
+   | certificates to send.
+
+   -T
+
+   Suppress content in CMS message (sign only).
+
+   -u certusage
+
+   Set type of cert usage (default is certUsageEmailSigner).
+
+   -Y ekprefnick
+
+   Specify an encryption key preference by nickname.
+
+   Usage
+
+   Encrypt Example
+
+   cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e
+   envfile
+
+   |
+   | Decode Example
+
+   cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
+
+   |
+   | Envelope Example
+
+   cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."
+
+   |
+   | Certificate-only Example
+
+   cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
+
+   |
+   | Sign Message Example
+
+   cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
+
+   |
+   | See also
+
+   certutil(1)
+
+   See Also
+
+   Additional Resources
+
+   | NSS is maintained in conjunction with PKI and security-related projects
+   | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
+   | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/.
+
+   | For information specifically about NSS, the NSS project wiki is located at
+   | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape and
+   | now with Red Hat.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   Copyright
+
+   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+
+   References
+
+   | Visible links
+   | 1. http://pki.fedoraproject.org/wiki/
+   | 2.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst
new file mode 100644
index 0000000000..9745be2a0a
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst
@@ -0,0 +1,379 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_crlutil:
+
+NSS tools : crlutil
+===================
+
+.. container::
+
+   Name
+
+   | crlutil — List, generate, modify, or delete CRLs within the NSS security
+   | database file(s) and list, create, modify or delete certificates entries
+   | in a particular CRL.
+
+   Synopsis
+
+   crlutil [options] `[[arguments]] <arguments>`__
+
+   | STATUS
+   | This documentation is still work in progress. Please contribute to the initial review in
+     Mozilla NSS bug 836477[1]
+
+   Description
+
+   | The Certificate Revocation List (CRL) Management Tool, crlutil, is a
+   | command-line utility that can list, generate, modify, or delete CRLs
+   | within the NSS security database file(s) and list, create, modify or
+   | delete certificates entries in a particular CRL.
+
+   | The key and certificate management process generally begins with creating
+   | keys in the key database, then generating and managing certificates in the
+   | certificate database(see certutil tool) and continues with certificates
+   | expiration or revocation.
+
+   | This document discusses certificate revocation list management. For
+   | information on security module database management, see Using the Security
+   | Module Database Tool. For information on certificate and key database
+   | management, see Using the Certificate Database Tool.
+
+   To run the Certificate Revocation List Management Tool, type the command
+
+   crlutil option [arguments]
+
+   | where options and arguments are combinations of the options and arguments
+   | listed in the following section. Each command takes one option. Each
+   | option may take zero or more arguments. To see a usage string, issue the
+   | command without options, or with the -H option.
+
+   Options and Arguments
+
+   Options
+
+   | Options specify an action. Option arguments modify an action. The options
+   | and arguments for the crlutil command are defined as follows:
+
+   -G
+
+   Create new Certificate Revocation List(CRL).-
+
+   -D
+
+   Delete Certificate Revocation List from cert database.
+
+   -I
+
+   Import a CRL to the cert database
+
+   -E
+
+   Erase all CRLs of specified type from the cert database
+
+   -L
+
+   List existing CRL located in cert database file.
+
+   -M
+
+   | Modify existing CRL which can be located in cert db or in
+   | arbitrary file. If located in file it should be encoded in ASN.1
+   | encode format.
+
+   -G
+
+   Arguments
+
+   Option arguments modify an action and are lowercase.
+
+   -B
+
+   Bypass CA signature checks.
+
+   -P dbprefix
+
+   | Specify the prefix used on the NSS security database files (for
+   | example, my_cert8.db and my_key3.db). This option is provided as a
+   | special case. Changing the names of the certificate and key
+   | databases is not recommended.
+
+   -a
+
+   | Use ASCII format or allow the use of ASCII format for input and
+   | output. This formatting follows RFC #1113.
+
+   -c crl-gen-file
+
+   | Specify script file that will be used to control crl
+   | generation/modification. See crl-cript-file format below. If
+   | options -M|-G is used and -c crl-script-file is not specified,
+   | crlutil will read script data from standard input.
+
+   -d directory
+
+   | Specify the database directory containing the certificate and key
+   | database files. On Unix the Certificate Database Tool defaults to
+   | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default
+   | is the current directory.
+
+   The NSS database files must reside in the same directory.
+
+   -i crl-import-file
+
+   Specify the file which contains the CRL to import
+
+   -f password-file
+
+   | Specify a file that will automatically supply the password to
+   | include in a certificate or to access a certificate database. This
+   | is a plain-text file containing one password. Be sure to prevent
+   | unauthorized access to this file.
+
+   -l algorithm-name
+
+   | Specify a specific signature algorithm. List of possible
+   | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512
+
+   -n nickname
+
+   | Specify the nickname of a certificate or key to list, create, add
+   | to a database, modify, or validate. Bracket the nickname string
+   | with quotation marks if it contains spaces.
+
+   -o output-file
+
+   | Specify the output file name for new CRL. Bracket the output-file
+   | string with quotation marks if it contains spaces. If this
+   | argument is not used the output destination defaults to standard
+   | output.
+
+   -t crl-type
+
+   | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
+   | SEC_CRL_TYPE. This option is obsolete
+
+   -u url
+
+   Specify the url.
+
+   CRL Generation script syntax
+
+   CRL generation script file has the following syntax:
+
+   \* Line with comments should have # as a first symbol of a line
+
+   \* Set "this update" or "next update" CRL fields:
+
+   update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ
+
+   | Field "next update" is optional. Time should be in GeneralizedTime format
+   | (YYYYMMDDhhmmssZ). For example: 20050204153000Z
+
+   \* Add an extension to a CRL or a crl certificate entry:
+
+   addext extension-name critical/non-critical [arg1[arg2 ...]]
+
+   Where:
+
+   | extension-name: string value of a name of known extensions.
+   | critical/non-critical: is 1 when extension is critical and 0 otherwise.
+   | arg1, arg2: specific to extension type extension parameters
+
+   | addext uses the range that was set earlier by addcert and will install an
+   | extension to every cert entries within the range.
+
+   \* Add certificate entries(s) to CRL:
+
+   addcert range date
+
+   | range: two integer values separated by dash: range of certificates that
+   | will be added by this command. dash is used as a delimiter. Only one cert
+   | will be added if there is no delimiter. date: revocation date of a cert.
+   | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+
+   \* Remove certificate entry(s) from CRL
+
+   rmcert range
+
+   Where:
+
+   | range: two integer values separated by dash: range of certificates that
+   | will be added by this command. dash is used as a delimiter. Only one cert
+   | will be added if there is no delimiter.
+
+   \* Change range of certificate entry(s) in CRL
+
+   range new-range
+
+   Where:
+
+   | new-range: two integer values separated by dash: range of certificates
+   | that will be added by this command. dash is used as a delimiter. Only one
+   | cert will be added if there is no delimiter.
+
+   Implemented Extensions
+
+   | The extensions defined for CRL provide methods for associating additional
+   | attributes with CRLs of theirs entries. For more information see RFC #3280
+
+   \* Add The Authority Key Identifier extension:
+
+   | The authority key identifier extension provides a means of identifying the
+   | public key corresponding to the private key used to sign a CRL.
+
+   authKeyId critical [key-id \| dn cert-serial]
+
+   Where:
+
+   | authKeyIdent: identifies the name of an extension critical: value of 1 of
+   | 0. Should be set to 1 if this extension is critical or 0 otherwise.
+   | key-id: key identifier represented in octet string. dn:: is a CA
+   | distinguished name cert-serial: authority certificate serial number.
+
+   \* Add Issuer Alternative Name extension:
+
+   | The issuer alternative names extension allows additional identities to be
+   | associated with the issuer of the CRL. Defined options include an rfc822
+   | name (electronic mail address), a DNS name, an IP address, and a URI.
+
+   issuerAltNames non-critical name-list
+
+   Where:
+
+   | subjAltNames: identifies the name of an extension should be set to 0 since
+   | this is non-critical extension name-list: comma separated list of names
+
+   \* Add CRL Number extension:
+
+   | The CRL number is a non-critical CRL extension which conveys a
+   | monotonically increasing sequence number for a given CRL scope and CRL
+   | issuer. This extension allows users to easily determine when a particular
+   | CRL supersedes another CRL
+
+   crlNumber non-critical number
+
+   Where:
+
+   | crlNumber: identifies the name of an extension critical: should be set to
+   | 0 since this is non-critical extension number: value of long which
+   | identifies the sequential number of a CRL.
+
+   \* Add Revocation Reason Code extension:
+
+   | The reasonCode is a non-critical CRL entry extension that identifies the
+   | reason for the certificate revocation.
+
+   reasonCode non-critical code
+
+   Where:
+
+   | reasonCode: identifies the name of an extension non-critical: should be
+   | set to 0 since this is non-critical extension code: the following codes
+   | are available:
+
+   | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged
+   | (3), superseded (4), cessationOfOperation (5), certificateHold (6),
+   | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10)
+
+   \* Add Invalidity Date extension:
+
+   | The invalidity date is a non-critical CRL entry extension that provides
+   | the date on which it is known or suspected that the private key was
+   | compromised or that the certificate otherwise became invalid.
+
+   invalidityDate non-critical date
+
+   Where:
+
+   | crlNumber: identifies the name of an extension non-critical: should be set
+   | to 0 since this is non-critical extension date: invalidity date of a cert.
+   | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
+
+   Usage
+
+   | The Certificate Revocation List Management Tool's capabilities are grouped
+   | as follows, using these combinations of options and arguments. Options and
+   | arguments in square brackets are optional, those without square brackets
+   | are required.
+
+   | See "Implemented extensions" for more information regarding extensions and
+   | their parameters.
+
+   \* Creating or modifying a CRL:
+
+   crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg]
+   [-a] [-B]
+
+   |
+   | \* Listing all CRls or a named CRL:
+
+   crlutil -L [-n crl-name] [-d krydir]
+
+   |
+   | \* Deleting CRL from db:
+
+   crlutil -D -n nickname [-d keydir] [-P dbprefix]
+
+   |
+   | \* Erasing CRLs from db:
+
+   crlutil -E [-d keydir] [-P dbprefix]
+
+   |
+   | \* Deleting CRL from db:
+
+   crlutil -D -n nickname [-d keydir] [-P dbprefix]
+
+   |
+   | \* Erasing CRLs from db:
+
+   crlutil -E [-d keydir] [-P dbprefix]
+
+   |
+   | \* Import CRL from file:
+
+   crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
+
+   |
+   | See also
+
+   certutil(1)
+
+   See Also
+
+   Additional Resources
+
+   | NSS is maintained in conjunction with PKI and security-related projects
+   | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
+   | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/.
+
+   | For information specifically about NSS, the NSS project wiki is located at
+   | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape, Red Hat,
+   | Sun, Oracle, Mozilla, and Google.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   License
+
+   Licensed under the Mozilla Public License, v. 2.0.
+
+   | If a copy of the MPL was not distributed with this file, You can
+   |  obtain one at https://mozilla.org/MPL/2.0/.
+
+   References
+
+   1. Mozilla NSS bug 836477 - https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+
+   | Visible links
+   | 1. http://pki.fedoraproject.org/wiki/
+   | 2.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst
new file mode 100644
index 0000000000..3e88fe0ce5
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst
@@ -0,0 +1,901 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_modutil:
+
+NSS tools : modutil
+===================
+
+.. container::
+
+   Name
+
+   | modutil - Manage PKCS #11 module information within the security module
+   | database.
+
+   Synopsis
+
+   modutil [options] [[arguments]]
+
+   STATUS
+
+   This documentation is still work in progress. Please contribute to the initial review in Mozilla
+   NSS bug 836477[1]
+
+   Description
+
+   | The Security Module Database Tool, modutil, is a command-line utility
+   | for managing PKCS #11 module information both within secmod.db files and
+   | within hardware tokens. modutil can add and delete PKCS #11 modules,
+   | change passwords on security databases, set defaults, list module
+   | contents, enable or disable slots, enable or disable FIPS 140-2
+   | compliance, and assign default providers for cryptographic operations.
+   | This tool can also create certificate, key, and module security database
+   | files.
+
+   | The tasks associated with security module database management are part of
+   | a process that typically also involves managing key databases and
+   | certificate databases.
+
+   Options
+
+   | Running modutil always requires one (and only one) option to specify the
+   | type of module operation. Each option may take arguments, anywhere from
+   | none to multiple arguments.
+
+   Options
+
+   -add modulename
+
+   | Add the named PKCS #11 module to the database. Use this option
+   | with the -libfile, -ciphers, and -mechanisms arguments.
+
+   -changepw tokenname
+
+   | Change the password on the named token. If the token has not been
+   | initialized, this option initializes the password. Use this option
+   | with the -pwfile and -newpwfile arguments. A password is
+   | equivalent to a personal identification number (PIN).
+
+   -chkfips
+
+   | Verify whether the module is in the given FIPS mode. true means to
+   | verify that the module is in FIPS mode, while false means to
+   | verify that the module is not in FIPS mode.
+
+   -create
+
+   | Create new certificate, key, and module databases. Use the -dbdir
+   | directory argument to specify a directory. If any of these
+   | databases already exist in a specified directory, modutil returns
+   | an error message.
+
+   -default modulename
+
+   | Specify the security mechanisms for which the named module will be
+   | a default provider. The security mechanisms are specified with the
+   | -mechanisms argument.
+
+   -delete modulename
+
+   | Delete the named module. The default NSS PKCS #11 module cannot be
+   | deleted.
+
+   -disable modulename
+
+   | Disable all slots on the named module. Use the -slot argument to
+   | disable a specific slot.
+
+   The internal NSS PKCS #11 module cannot be disabled.
+
+   -enable modulename
+
+   | Enable all slots on the named module. Use the -slot argument to
+   | enable a specific slot.
+
+   -fips [true \| false]
+
+   | Enable (true) or disable (false) FIPS 140-2 compliance for the
+   | default NSS module.
+
+   -force
+
+   | Disable modutil's interactive prompts so it can be run from a
+   | script. Use this option only after manually testing each planned
+   | operation to check for warnings and to ensure that bypassing the
+   | prompts will cause no security lapses or loss of
+   | database integrity.
+
+   -jar JAR-file
+
+   | Add a new PKCS #11 module to the database using the named JAR
+   | file. Use this command with the -installdir and -tempdir
+   | arguments. The JAR file uses the NSS PKCS #11 JAR format to
+   | identify all the files to be installed, the module's name, the
+   | mechanism flags, and the cipher flags, as well as any files to be
+   | installed on the target machine, including the PKCS #11 module
+   | library file and other files such as documentation. This is
+   | covered in the JAR installation file section in the man page,
+   | which details the special script needed to perform an installation
+   | through a server or with modutil.
+
+   -list [modulename]
+
+   | Display basic information about the contents of the secmod.db
+   | file. Specifying a modulename displays detailed information about
+   | a particular module and its slots and tokens.
+
+   -rawadd
+
+   Add the module spec string to the secmod.db database.
+
+   -rawlist
+
+   | Display the module specs for a specified module or for all
+   | loadable modules.
+
+   -undefault modulename
+
+   | Specify the security mechanisms for which the named module will
+   | not be a default provider. The security mechanisms are specified
+   | with the -mechanisms argument.
+
+   Arguments
+
+   MODULE
+
+   Give the security module to access.
+
+   MODULESPEC
+
+   Give the security module spec to load into the security database.
+
+   -ciphers cipher-enable-list
+
+   | Enable specific ciphers in a module that is being added to the
+   | database. The cipher-enable-list is a colon-delimited list of
+   | cipher names. Enclose this list in quotation marks if it contains
+   | spaces.
+
+   -dbdir [sql:]directory
+
+   | Specify the database directory in which to access or create
+   | security module database files.
+
+   | modutil supports two types of databases: the legacy security
+   | databases (cert8.db, key3.db, and secmod.db) and new SQLite
+   | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
+   | is not used, then the tool assumes that the given databases are in
+   | the old format.
+
+   --dbprefix prefix
+
+   | Specify the prefix used on the database files, such as my\_ for
+   | my_cert8.db. This option is provided as a special case. Changing
+   | the names of the certificate and key databases is not recommended.
+
+   -installdir root-installation-directory
+
+   | Specify the root installation directory relative to which files
+   | will be installed by the -jar option. This directory should be one
+   | below which it is appropriate to store dynamic library files, such
+   | as a server's root directory.
+
+   -libfile library-file
+
+   | Specify a path to a library file containing the implementation of
+   | the PKCS #11 interface module that is being added to the database.
+
+   -mechanisms mechanism-list
+
+   | Specify the security mechanisms for which a particular module will
+   | be flagged as a default provider. The mechanism-list is a
+   | colon-delimited list of mechanism names. Enclose this list in
+   | quotation marks if it contains spaces.
+
+   | The module becomes a default provider for the listed mechanisms
+   | when those mechanisms are enabled. If more than one module claims
+   | to be a particular mechanism's default provider, that mechanism's
+   | default provider is undefined.
+
+   | modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
+   | DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
+   | random number generation), and FRIENDLY (meaning certificates are
+   | publicly readable).
+
+   -newpwfile new-password-file
+
+   | Specify a text file containing a token's new or replacement
+   | password so that a password can be entered automatically with the
+   | -changepw option.
+
+   -nocertdb
+
+   | Do not open the certificate or key databases. This has several
+   | effects:
+
+   | o With the -create command, only a module security file is
+   | created; certificate and key databases are not created.
+
+   | o With the -jar command, signatures on the JAR file are not
+   | checked.
+
+   | o With the -changepw command, the password on the NSS internal
+   | module cannot be set or changed, since this password is
+   | stored in the key database.
+
+   -pwfile old-password-file
+
+   | Specify a text file containing a token's existing password so that
+   | a password can be entered automatically when the -changepw option
+   | is used to change passwords.
+
+   -secmod secmodname
+
+   | Give the name of the security module database (like secmod.db) to
+   | load.
+
+   -slot slotname
+
+   | Specify a particular slot to be enabled or disabled with the
+   | -enable or -disable options.
+
+   -string CONFIG_STRING
+
+   | Pass a configuration string for the module being added to the
+   | database.
+
+   -tempdir temporary-directory
+
+   | Give a directory location where temporary files are created during
+   | the installation by the -jar option. If no temporary directory is
+   | specified, the current directory is used.
+
+   Usage and Examples
+
+   Creating Database Files
+
+   | Before any operations can be performed, there must be a set of security
+   | databases available. modutil can be used to create these files. The only
+   | required argument is the database that where the databases will be
+   | located.
+
+   modutil -create -dbdir [sql:]directory
+
+   Adding a Cryptographic Module
+
+   | Adding a PKCS #11 module means submitting a supporting library file,
+   | enabling its ciphers, and setting default provider status for various
+   | security mechanisms. This can be done by supplying all of the information
+   | through modutil directly or by running a JAR file and install script. For
+   | the most basic case, simply upload the library:
+
+   modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms
+   mechanism-list]
+
+   For example:
+
+   modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so"
+   -mechanisms RSA:DSA:RC2:RANDOM
+
+   | Using database directory ...
+   | Module "Example PKCS #11 Module" added to database.
+
+   Installing a Cryptographic Module from a JAR File
+
+   | PKCS #11 modules can also be loaded using a JAR file, which contains all
+   | of the required libraries and an installation script that describes how to
+   | install the module. The JAR install script is described in more detail in
+   | [1]the section called “JAR Installation File Format”.
+
+   | The JAR installation script defines the setup information for each
+   | platform that the module can be installed on. For example:
+
+   | Platforms {
+   | Linux:5.4.08:x86 {
+   | ModuleName { "Example PKCS #11 Module" }
+   | ModuleFile { crypto.so }
+   | DefaultMechanismFlags{0x0000}
+   | CipherEnableFlags{0x0000}
+   | Files {
+   | crypto.so {
+   | Path{ /tmp/crypto.so }
+   | }
+   | setup.sh {
+   | Executable
+   | Path{ /tmp/setup.sh }
+   | }
+   | }
+   | }
+   | Linux:6.0.0:x86 {
+   | EquivalentPlatform { Linux:5.4.08:x86 }
+   | }
+   | }
+
+   | Both the install script and the required libraries must be bundled in a
+   | JAR file, which is specified with the -jar argument.
+
+   modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir
+   sql:/home/my/sharednssdb
+
+   | This installation JAR file was signed by:
+   | ----------------------------------------------
+
+   \**SUBJECT NAME*\*
+
+   | C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
+   | Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
+   | Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
+   | . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
+   | Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network \**ISSUER
+   | NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
+   | VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
+   | OU="VeriSign, Inc.", O=VeriSign Trust Network
+   | ----------------------------------------------
+
+   | Do you wish to continue this installation? (y/n) y
+   | Using installer script "installer_script"
+   | Successfully parsed installation script
+   | Current platform is Linux:5.4.08:x86
+   | Using installation parameters for platform Linux:5.4.08:x86
+   | Installed file crypto.so to /tmp/crypto.so
+   | Installed file setup.sh to ./pk11inst.dir/setup.sh
+   | Executing "./pk11inst.dir/setup.sh"...
+   | "./pk11inst.dir/setup.sh" executed successfully
+   | Installed module "Example PKCS #11 Module" into module database
+
+   Installation completed successfully
+
+   Adding Module Spec
+
+   | Each module has information stored in the security database about its
+   | configuration and parameters. These can be added or edited using the
+   | -rawadd command. For the current settings or to see the format of the
+   | module spec in the database, use the -rawlist option.
+
+   modutil -rawadd modulespec
+
+   Deleting a Module
+
+   A specific PKCS #11 module can be deleted from the secmod.db database:
+
+   modutil -delete modulename -dbdir [sql:]directory
+
+   Displaying Module Information
+
+   | The secmod.db database contains information about the PKCS #11 modules
+   | that are available to an application or server to use. The list of all
+   | modules, information about specific modules, and database configuration
+   | specs for modules can all be viewed.
+
+   To simply get a list of modules in the database, use the -list command.
+
+   modutil -list [modulename] -dbdir [sql:]directory
+
+   | Listing the modules shows the module name, their status, and other
+   | associated security databases for certificates and keys. For example:
+
+   modutil -list -dbdir sql:/home/my/sharednssdb
+
+   | Listing of PKCS #11 Modules
+   | -----------------------------------------------------------
+   | 1. NSS Internal PKCS #11 Module
+   | slots: 2 slots attached
+   | status: loaded
+
+   | slot: NSS Internal Cryptographic Services
+   | token: NSS Generic Crypto Services
+
+   | slot: NSS User Private Key and Certificate Services
+   | token: NSS Certificate DB
+   | -----------------------------------------------------------
+
+   | Passing a specific module name with the -list returns details information
+   | about the module itself, like supported cipher mechanisms, version
+   | numbers, serial numbers, and other information about the module and the
+   | token it is loaded on. For example:
+
+   modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
+
+   | -----------------------------------------------------------
+   | Name: NSS Internal PKCS #11 Module
+   | Library file: \**Internal ONLY module*\*
+   | Manufacturer: Mozilla Foundation
+   | Description: NSS Internal Crypto Services
+   | PKCS #11 Version 2.20
+   | Library Version: 3.11
+   | Cipher Enable Flags: None
+   | Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+
+   | Slot: NSS Internal Cryptographic Services
+   | Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+   | Manufacturer: Mozilla Foundation
+   | Type: Software
+   | Version Number: 3.11
+   | Firmware Version: 0.0
+   | Status: Enabled
+   | Token Name: NSS Generic Crypto Services
+   | Token Manufacturer: Mozilla Foundation
+   | Token Model: NSS 3
+   | Token Serial Number: 0000000000000000
+   | Token Version: 4.0
+   | Token Firmware Version: 0.0
+   | Access: Write Protected
+   | Login Type: Public (no login required)
+   | User Pin: NOT Initialized
+
+   | Slot: NSS User Private Key and Certificate Services
+   | Slot Mechanism Flags: None
+   | Manufacturer: Mozilla Foundation
+   | Type: Software
+   | Version Number: 3.11
+   | Firmware Version: 0.0
+   | Status: Enabled
+   | Token Name: NSS Certificate DB
+   | Token Manufacturer: Mozilla Foundation
+   | Token Model: NSS 3
+   | Token Serial Number: 0000000000000000
+   | Token Version: 8.3
+   | Token Firmware Version: 0.0
+   | Access: NOT Write Protected
+   | Login Type: Login required
+   | User Pin: Initialized
+
+   | A related command, -rawlist returns information about the database
+   | configuration for the modules. (This information can be edited by loading
+   | new specs using the -rawadd command.)
+
+   | modutil -rawlist -dbdir sql:/home/my/sharednssdb
+   | name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix=
+     secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100
+     slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any
+     timeout=30 ] } Flags=internal,critical"
+
+   Setting a Default Provider for Security Mechanisms
+
+   | Multiple security modules may provide support for the same security
+   | mechanisms. It is possible to set a specific security module as the
+   | default provider for a specific security mechanism (or, conversely, to
+   | prohibit a provider from supplying those mechanisms).
+
+   modutil -default modulename -mechanisms mechanism-list
+
+   | To set a module as the default provider for mechanisms, use the -default
+   | command with a colon-separated list of mechanisms. The available
+   | mechanisms depend on the module; NSS supplies almost all common
+   | mechanisms. For example:
+
+   modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
+
+   Using database directory c:\databases...
+
+   Successfully changed defaults.
+
+   Clearing the default provider has the same format:
+
+   modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
+
+   Enabling and Disabling Modules and Slots
+
+   | Modules, and specific slots on modules, can be selectively enabled or
+   | disabled using modutil. Both commands have the same format:
+
+   modutil -enable|-disable modulename [-slot slotname]
+
+   For example:
+
+   modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services "
+   -dbdir .
+
+   Slot "NSS Internal Cryptographic Services " enabled.
+
+   | Be sure that the appropriate amount of trailing whitespace is after the
+   | slot name. Some slot names have a significant amount of whitespace that
+   | must be included, or the operation will fail.
+
+   Enabling and Verifying FIPS Compliance
+
+   | The NSS modules can have FIPS 140-2 compliance enabled or disabled using
+   | modutil with the -fips option. For example:
+
+   modutil -fips true -dbdir sql:/home/my/sharednssdb/
+
+   FIPS mode enabled.
+
+   | To verify that status of FIPS mode, run the -chkfips command with either a
+   | true or false flag (it doesn't matter which). The tool returns the current
+   | FIPS setting.
+
+   modutil -chkfips false -dbdir sql:/home/my/sharednssdb/
+
+   FIPS mode enabled.
+
+   Changing the Password on a Token
+
+   Initializing or changing a token's password:
+
+   modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
+
+   modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB"
+
+   | Enter old password:
+   | Incorrect password, try again...
+   | Enter old password:
+   | Enter new password:
+   | Re-enter new password:
+   | Token "Communicator Certificate DB" password changed successfully.
+
+   JAR Installation File Format
+
+   | When a JAR file is run by a server, by modutil, or by any program that
+   | does not interpret JavaScript, a special information file must be included
+   | to install the libraries. There are several things to keep in mind with
+   | this file:
+
+   o It must be declared in the JAR archive's manifest file.
+
+   o The script can have any name.
+
+   | o The metainfo tag for this is Pkcs11_install_script. To declare
+   | meta-information in the manifest file, put it in a file that is passed
+   | to signtool.
+
+   Sample Script
+
+   | For example, the PKCS #11 installer script could be in the file
+   | pk11install. If so, the metainfo file for signtool includes a line such as
+   | this:
+
+   + Pkcs11_install_script: pk11install
+
+   | The script must define the platform and version number, the module name
+   | and file, and any optional information like supported ciphers and
+   | mechanisms. Multiple platforms can be defined in a single install file.
+
+   | ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
+   | Platforms {
+   | WINNT::x86 {
+   | ModuleName { "Example Module" }
+   | ModuleFile { win32/fort32.dll }
+   | DefaultMechanismFlags{0x0001}
+   | DefaultCipherFlags{0x0001}
+   | Files {
+   | win32/setup.exe {
+   | Executable
+   | RelativePath { %temp%/setup.exe }
+   | }
+   | win32/setup.hlp {
+   | RelativePath { %temp%/setup.hlp }
+   | }
+   | win32/setup.cab {
+   | RelativePath { %temp%/setup.cab }
+   | }
+   | }
+   | }
+   | WIN95::x86 {
+   | EquivalentPlatform {WINNT::x86}
+   | }
+   | SUNOS:5.5.1:sparc {
+   | ModuleName { "Example UNIX Module" }
+   | ModuleFile { unix/fort.so }
+   | DefaultMechanismFlags{0x0001}
+   | CipherEnableFlags{0x0001}
+   | Files {
+   | unix/fort.so {
+   | RelativePath{%root%/lib/fort.so}
+   | AbsolutePath{/usr/local/netscape/lib/fort.so}
+   | FilePermissions{555}
+   | }
+   | xplat/instr.html {
+   | RelativePath{%root%/docs/inst.html}
+   | AbsolutePath{/usr/local/netscape/docs/inst.html}
+   | FilePermissions{555}
+   | }
+   | }
+   | }
+   | IRIX:6.2:mips {
+   | EquivalentPlatform { SUNOS:5.5.1:sparc }
+   | }
+   | }
+
+   Script Grammar
+
+   | The script is basic Java, allowing lists, key-value pairs, strings, and
+   | combinations of all of them.
+
+   --> valuelist
+
+   | valuelist --> value valuelist
+   | <null>
+
+   | value ---> key_value_pair
+   | string
+
+   key_value_pair --> key { valuelist }
+
+   key --> string
+
+   | string --> simple_string
+   | "complex_string"
+
+   simple_string --> [^ \\t\n\""{""}"]+
+
+   complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
+
+   | Quotes and backslashes must be escaped with a backslash. A complex string
+   | must not include newlines or carriage returns.Outside of complex strings,
+   | all white space (for example, spaces, tabs, and carriage returns) is
+   | considered equal and is used only to delimit tokens.
+
+   Keys
+
+   | The Java install file uses keys to define the platform and module
+   | information.
+
+   | ForwardCompatible gives a list of platforms that are forward compatible.
+   | If the current platform cannot be found in the list of supported
+   | platforms, then the ForwardCompatible list is checked for any platforms
+   | that have the same OS and architecture in an earlier version. If one is
+   | found, its attributes are used for the current platform.
+
+   | Platforms (required) Gives a list of platforms. Each entry in the list is
+   | itself a key-value pair: the key is the name of the platform and the value
+   | list contains various attributes of the platform. The platform string is
+   | in the format system name:OS release:architecture. The installer obtains
+   | these values from NSPR. OS release is an empty string on non-Unix
+   | operating systems. NSPR supports these platforms:
+
+   o AIX (rs6000)
+
+   o BSDI (x86)
+
+   o FREEBSD (x86)
+
+   o HPUX (hppa1.1)
+
+   o IRIX (mips)
+
+   o LINUX (ppc, alpha, x86)
+
+   o MacOS (PowerPC)
+
+   o NCR (x86)
+
+   o NEC (mips)
+
+   o OS2 (x86)
+
+   o OSF (alpha)
+
+   o ReliantUNIX (mips)
+
+   o SCO (x86)
+
+   o SOLARIS (sparc)
+
+   o SONY (mips)
+
+   o SUNOS (sparc)
+
+   o UnixWare (x86)
+
+   o WIN16 (x86)
+
+   o WIN95 (x86)
+
+   o WINNT (x86)
+
+   For example:
+
+   | IRIX:6.2:mips
+   | SUNOS:5.5.1:sparc
+   | Linux:2.0.32:x86
+   | WIN95::x86
+
+   | The module information is defined independently for each platform in the
+   | ModuleName, ModuleFile, and Files attributes. These attributes must be
+   | given unless an EquivalentPlatform attribute is specified.
+
+   Per-Platform Keys
+
+   | Per-platform keys have meaning only within the value list of an entry in
+   | the Platforms list.
+
+   | ModuleName (required) gives the common name for the module. This name is
+   | used to reference the module by servers and by the modutil tool.
+
+   | ModuleFile (required) names the PKCS #11 module file for this platform.
+   | The name is given as the relative path of the file within the JAR archive.
+
+   | Files (required) lists the files that need to be installed for this
+   | module. Each entry in the file list is a key-value pair. The key is the
+   | path of the file in the JAR archive, and the value list contains
+   | attributes of the file. At least RelativePath or AbsolutePath must be
+   | specified for each file.
+
+   | DefaultMechanismFlags specifies mechanisms for which this module is the
+   | default provider; this is equivalent to the -mechanism option with the
+   | -add command. This key-value pair is a bitstring specified in hexadecimal
+   | (0x) format. It is constructed as a bitwise OR. If the
+   | DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
+
+   | RSA: 0x00000001
+   | DSA: 0x00000002
+   | RC2: 0x00000004
+   | RC4: 0x00000008
+   | DES: 0x00000010
+   | DH: 0x00000020
+   | FORTEZZA: 0x00000040
+   | RC5: 0x00000080
+   | SHA1: 0x00000100
+   | MD5: 0x00000200
+   | MD2: 0x00000400
+   | RANDOM: 0x08000000
+   | FRIENDLY: 0x10000000
+   | OWN_PW_DEFAULTS: 0x20000000
+   | DISABLE: 0x40000000
+
+   | CipherEnableFlags specifies ciphers that this module provides that NSS
+   | does not provide (so that the module enables those ciphers for NSS). This
+   | is equivalent to the -cipher argument with the -add command. This key is a
+   | bitstring specified in hexadecimal (0x) format. It is constructed as a
+   | bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults
+   | to 0x0.
+
+   | EquivalentPlatform specifies that the attributes of the named platform
+   | should also be used for the current platform. This makes it easier when
+   | more than one platform uses the same settings.
+
+   Per-File Keys
+
+   | Some keys have meaning only within the value list of an entry in a Files
+   | list.
+
+   | Each file requires a path key the identifies where the file is. Either
+   | RelativePath or AbsolutePath must be specified. If both are specified, the
+   | relative path is tried first, and the absolute path is used only if no
+   | relative root directory is provided by the installer program.
+
+   | RelativePath specifies the destination directory of the file, relative to
+   | some directory decided at install time. Two variables can be used in the
+   | relative path: %root% and %temp%. %root% is replaced at run time with the
+   | directory relative to which files should be installed; for example, it may
+   | be the server's root directory. The %temp% directory is created at the
+   | beginning of the installation and destroyed at the end. The purpose of
+   | %temp% is to hold executable files (such as setup programs) or files that
+   | are used by these programs. Files destined for the temporary directory are
+   | guaranteed to be in place before any executable file is run; they are not
+   | deleted until all executable files have finished.
+
+   | AbsolutePath specifies the destination directory of the file as an
+   | absolute path.
+
+   | Executable specifies that the file is to be executed during the course of
+   | the installation. Typically, this string is used for a setup program
+   | provided by a module vendor, such as a self-extracting setup executable.
+   | More than one file can be specified as executable, in which case the files
+   | are run in the order in which they are specified in the script file.
+
+   | FilePermissions sets permissions on any referenced files in a string of
+   | octal digits, according to the standard Unix format. This string is a
+   | bitwise OR.
+
+   | user read: 0400
+   | user write: 0200
+   | user execute: 0100
+   | group read: 0040
+   | group write: 0020
+   | group execute: 0010
+   | other read: 0004
+   | other write: 0002
+   | other execute: 0001
+
+   | Some platforms may not understand these permissions. They are applied only
+   | insofar as they make sense for the current platform. If this attribute is
+   | omitted, a default of 777 is assumed.
+
+   NSS Database Types
+
+   | NSS originally used BerkeleyDB databases to store security information.
+   | The last versions of these legacy databases are:
+
+   o cert8.db for certificates
+
+   o key3.db for keys
+
+   o secmod.db for PKCS #11 module information
+
+   | BerkeleyDB has performance limitations, though, which prevent it from
+   | being easily used by multiple applications simultaneously. NSS has some
+   | flexibility that allows applications to use their own, independent
+   | database engine while keeping a shared database and working around the
+   | access issues. Still, NSS requires more flexibility to provide a truly
+   | shared security database.
+
+   | In 2009, NSS introduced a new set of databases that are SQLite databases
+   | rather than BerkleyDB. These new databases provide more accessibility and
+   | performance:
+
+   o cert9.db for certificates
+
+   o key4.db for keys
+
+   | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained
+   | in a new subdirectory in the security databases directory
+
+   | Because the SQLite databases are designed to be shared, these are the
+   | shared database type. The shared database type is preferred; the legacy
+   | format is included for backward compatibility.
+
+   | By default, the tools (certutil, pk12util, modutil) assume that the given
+   | security databases follow the more common legacy type. Using the SQLite
+   | databases must be manually specified by using the sql: prefix with the
+   | given security directory. For example:
+
+   modutil -create -dbdir sql:/home/my/sharednssdb
+
+   | To set the shared database type as the default type for the tools, set the
+   | NSS_DEFAULT_DB_TYPE environment variable to sql:
+
+   export NSS_DEFAULT_DB_TYPE="sql"
+
+   | This line can be added to the ~/.bashrc file to make the change
+   | permanent.
+
+   | Most applications do not use the shared database by default, but they can
+   | be configured to use them. For example, this how-to article covers how to
+   | configure Firefox and Thunderbird to use the new shared NSS databases:
+
+   o https://wiki.mozilla.org/NSS_Shared_DB_Howto
+
+   | For an engineering draft on the changes in the shared NSS databases, see
+   | the NSS project wiki:
+
+   o https://wiki.mozilla.org/NSS_Shared_DB
+
+   See Also
+
+   certutil (1)
+
+   pk12util (1)
+
+   signtool (1)
+
+   | The NSS wiki has information on the new database design and how to
+   | configure applications to use it.
+
+   o https://wiki.mozilla.org/NSS_Shared_DB_Howto
+
+   o https://wiki.mozilla.org/NSS_Shared_DB
+
+   Additional Resources
+
+   | For information about NSS and other tools related to NSS (like JSS), check
+   | out the NSS project wiki at
+   | [2]http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape, Red
+   | Hat, Sun, Oracle, Mozilla, and Google.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   License
+
+   | Licensed under the Mozilla Public License, v. 2.0.
+   | If a copy of the MPL was not distributed with this file,
+   | You can obtain one at https://mozilla.org/MPL/2.0/.
+
+   References
+
+   | 1. Mozilla NSS bug 836477
+   | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
+
+   | Visible links
+   | 1. JAR Installation File Format
+   | file:///tmp/xmlto.eUWOJ0/modutil.pro...r-install-file
+   | 2. http://www.mozilla.org/projects/security/pki/nss/
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst
new file mode 100644
index 0000000000..4c13285f30
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst
@@ -0,0 +1,442 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_pk12util:
+
+NSS tools : pk12util
+====================
+
+.. container::
+
+   NSS tools : pk12util
+
+   Name
+
+   | pk12util — Export and import keys and certificate to or from a PKCS #12
+   | file and the NSS database
+
+   Synopsis
+
+   pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix]
+   [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+
+   Description
+
+   | The PKCS #12 utility, pk12util, enables sharing certificates among any
+   | server that supports PKCS#12. The tool can import certificates and keys
+   | from PKCS#12 files into security databases, export certificates, and list
+   | certificates and keys.
+
+   Options and Arguments
+
+   Options
+
+   -i p12file
+
+   | Import keys and certificates from a PKCS#12 file into a security
+   | database.
+
+   -l p12file
+
+   List the keys and certificates in PKCS#12 file.
+
+   -o p12file
+
+   | Export keys and certificates from the security database to a
+   | PKCS#12 file.
+
+   Arguments
+
+   -c keyCipher
+
+   Specify the key encryption algorithm.
+
+   -C certCipher
+
+   Specify the key cert (overall package) encryption algorithm.
+
+   |
+   | -d [sql:]directory
+
+   | Specify the database directory into which to import to or export
+   | from certificates and keys.
+
+   | pk12util supports two types of databases: the legacy security
+   | databases (cert8.db, key3.db, and secmod.db) and new SQLite
+   | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
+   | is not used, then the tool assumes that the given databases are in
+   | the old format.
+
+   -h tokenname
+
+   Specify the name of the token to import into or export from.
+
+   -k slotPasswordFile
+
+   Specify the text file containing the slot's password.
+
+   -K slotPassword
+
+   Specify the slot's password.
+
+   -m \| --key-len keyLength
+
+   | Specify the desired length of the symmetric key to be used to
+   | encrypt the private key.
+
+   -n \| --cert-key-len certKeyLength
+
+   | Specify the desired length of the symmetric key to be used to
+   | encrypt the certificates and other meta-data.
+
+   -n certname
+
+   Specify the nickname of the cert and private key to export.
+
+   -P prefix
+
+   | Specify the prefix used on the certificate and key databases. This
+   | option is provided as a special case. Changing the names of the
+   | certificate and key databases is not recommended.
+
+   -r
+
+   | Dumps all of the data in raw (binary) form. This must be saved as
+   | a DER file. The default is to return information in a pretty-print
+   | ASCII format, which displays the information about the
+   | certificates and public keys in the p12 file.
+
+   -v
+
+   Enable debug logging when importing.
+
+   -w p12filePasswordFile
+
+   Specify the text file containing the pkcs #12 file password.
+
+   -W p12filePassword
+
+   Specify the pkcs #12 file password.
+
+   Return Codes
+
+   o 0 - No error
+
+   o 1 - User Cancelled
+
+   o 2 - Usage error
+
+   o 6 - NLS init error
+
+   o 8 - Certificate DB open error
+
+   o 9 - Key DB open error
+
+   o 10 - File initialization error
+
+   o 11 - Unicode conversion error
+
+   o 12 - Temporary file creation error
+
+   o 13 - PKCS11 get slot error
+
+   o 14 - PKCS12 decoder start error
+
+   o 15 - error read from import file
+
+   o 16 - pkcs12 decode error
+
+   o 17 - pkcs12 decoder verify error
+
+   o 18 - pkcs12 decoder validate bags error
+
+   o 19 - pkcs12 decoder import bags error
+
+   o 20 - key db conversion version 3 to version 2 error
+
+   o 21 - cert db conversion version 7 to version 5 error
+
+   o 22 - cert and key dbs patch error
+
+   o 23 - get default cert db error
+
+   o 24 - find cert by nickname error
+
+   o 25 - create export context error
+
+   o 26 - PKCS12 add password itegrity error
+
+   o 27 - cert and key Safes creation error
+
+   o 28 - PKCS12 add cert and key error
+
+   o 29 - PKCS12 encode error
+
+   Examples
+
+   Importing Keys and Certificates
+
+   | The most basic usage of pk12util for importing a certificate or key is the
+   | PKCS#12 input file (-i) and some way to specify the security database
+   | being accessed (either -d for a directory or -h for a token).
+
+   pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k
+   slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+
+   For example:
+
+   # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+
+   | Enter a password which will be used to encrypt your keys.
+   | The password should be at least 8 characters long,
+   | and should contain at least one non-alphabetic character.
+
+   | Enter new password:
+   | Re-enter password:
+   | Enter password for PKCS12 file:
+   | pk12util: PKCS12 IMPORT SUCCESSFUL
+
+   Exporting Keys and Certificates
+
+   | Using the pk12util command to export certificates and keys requires both
+   | the name of the certificate to extract from the database (-n) and the
+   | PKCS#12-formatted output file to write to. There are optional parameters
+   | that can be used to encrypt the file to protect the certificate material.
+
+   pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen]
+   [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K
+   slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+
+   For example:
+
+   | # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
+   | Enter password for PKCS12 file:
+   | Re-enter password:
+
+   Listing Keys and Certificates
+
+   | The information in a .p12 file are not human-readable. The certificates
+   | and keys in the file can be printed (listed) in a human-readable
+   | pretty-print format that shows information for every certificate and any
+   | public keys in the .p12 file.
+
+   pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k
+   slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+
+   For example, this prints the default ASCII output:
+
+   # pk12util -l certs.p12
+
+   | Enter password for PKCS12 file:
+   | Key(shrouded):
+   | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+   | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+   | Parameters:
+   | Salt:
+   | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+   | Iteration Count: 1 (0x1)
+   | Certificate:
+   | Data:
+   | Version: 3 (0x2)
+   | Serial Number: 13 (0xd)
+   | Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+   | Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
+   | A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
+   | own,ST=Western Cape,C=ZA"
+
+   | Alternatively, the -r prints the certificates and then exports them into
+   | separate DER binary files. This allows the certificates to be fed to
+   | another application that supports .p12 files. Each certificate is written
+   | to a sequentially-number file, beginning with file0001.der and continuing
+   | through file000N.der, incrementing the number for every certificate:
+
+   | # pk12util -l test.p12 -r
+   | Enter password for PKCS12 file:
+   | Key(shrouded):
+   | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+   | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+   | Parameters:
+   | Salt:
+   | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+   | Iteration Count: 1 (0x1)
+   | Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
+
+   Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+   Password Encryption
+
+   | PKCS#12 provides for not only the protection of the private keys but also
+   | the certificate and meta-data associated with the keys. Password-based
+   | encryption is used to protect private keys on export to a PKCS#12 file
+   | and, optionally, the entire package. If no algorithm is specified, the
+   | tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for
+   | private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the
+   | default for the overall package encryption when not in FIPS mode. When in
+   | FIPS mode, there is no package encryption.
+
+   The private key is always protected with strong encryption by default.
+
+   Several types of ciphers are supported.
+
+   Symmetric CBC ciphers for PKCS#5 V2
+
+   o DES-CBC
+
+   o RC2-CBC
+
+   o RC5-CBCPad
+
+   o DES-EDE3-CBC (the default for key encryption)
+
+   o AES-128-CBC
+
+   o AES-192-CBC
+
+   o AES-256-CBC
+
+   o CAMELLIA-128-CBC
+
+   o CAMELLIA-192-CBC
+
+   o CAMELLIA-256-CBC
+
+   PKCS#12 PBE ciphers
+
+   o PKCS #12 PBE with Sha1 and 128 Bit RC4
+
+   o PKCS #12 PBE with Sha1 and 40 Bit RC4
+
+   o PKCS #12 PBE with Sha1 and Triple DES CBC
+
+   o PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
+
+   o PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
+
+   o PKCS12 V2 PBE with SHA1 and 128 Bit RC4
+
+   | o PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for
+   | non-FIPS mode)
+
+   o PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc
+
+   o PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc
+
+   o PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
+
+   o PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
+
+   PKCS#5 PBE ciphers
+
+   o PKCS #5 Password Based Encryption with MD2 and DES CBC
+
+   o PKCS #5 Password Based Encryption with MD5 and DES CBC
+
+   o PKCS #5 Password Based Encryption with SHA1 and DES CBC
+
+   | With PKCS#12, the crypto provider may be the soft token module or an
+   | external hardware module. If the cryptographic module does not support the
+   | requested algorithm, then the next best fit will be selected (usually the
+   | default). If no suitable replacement for the desired algorithm can be
+   | found, the tool returns the error no security module can perform the
+   | requested operation.
+
+   NSS Database Types
+
+   | NSS originally used BerkeleyDB databases to store security information.
+   | The last versions of these legacy databases are:
+
+   o cert8.db for certificates
+
+   o key3.db for keys
+
+   o secmod.db for PKCS #11 module information
+
+   | BerkeleyDB has performance limitations, though, which prevent it from
+   | being easily used by multiple applications simultaneously. NSS has some
+   | flexibility that allows applications to use their own, independent
+   | database engine while keeping a shared database and working around the
+   | access issues. Still, NSS requires more flexibility to provide a truly
+   | shared security database.
+
+   | In 2009, NSS introduced a new set of databases that are SQLite databases
+   | rather than BerkleyDB. These new databases provide more accessibility and
+   | performance:
+
+   o cert9.db for certificates
+
+   o key4.db for keys
+
+   | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained
+   | in a new subdirectory in the security databases directory
+
+   | Because the SQLite databases are designed to be shared, these are the
+   | shared database type. The shared database type is preferred; the legacy
+   | format is included for backward compatibility.
+
+   | By default, the tools (certutil, pk12util, modutil) assume that the given
+   | security databases follow the more common legacy type. Using the SQLite
+   | databases must be manually specified by using the sql: prefix with the
+   | given security directory. For example:
+
+   # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+
+   | To set the shared database type as the default type for the tools, set the
+   | NSS_DEFAULT_DB_TYPE environment variable to sql:
+
+   export NSS_DEFAULT_DB_TYPE="sql"
+
+   | This line can be set added to the ~/.bashrc file to make the change
+   | permanent.
+
+   | Most applications do not use the shared database by default, but they can
+   | be configured to use them. For example, this how-to article covers how to
+   | configure Firefox and Thunderbird to use the new shared NSS databases:
+
+   o https://wiki.mozilla.org/NSS_Shared_DB_Howto
+
+   | For an engineering draft on the changes in the shared NSS databases, see
+   | the NSS project wiki:
+
+   o https://wiki.mozilla.org/NSS_Shared_DB
+
+   See Also
+
+   certutil (1)
+
+   modutil (1)
+
+   | The NSS wiki has information on the new database design and how to
+   | configure applications to use it.
+
+   o https://wiki.mozilla.org/NSS_Shared_DB_Howto
+
+   o https://wiki.mozilla.org/NSS_Shared_DB
+
+   Additional Resources
+
+   | For information about NSS and other tools related to NSS (like JSS), check
+   | out the NSS project wiki at
+   | [1]http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape, Red
+   | Hat, Sun, Oracle, Mozilla, and Google.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   License
+
+   | Licensed under the Mozilla Public License, v. 2.0.
+   | If a copy of the MPL was not distributed with this file,
+   | You can obtain one at https://mozilla.org/MPL/2.0/.
+
+   References
+
+   | 1. Mozilla NSS bug 836477
+   | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst
new file mode 100644
index 0000000000..3ef0db4039
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst
@@ -0,0 +1,573 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_ssltab:
+
+NSS tools : ssltab
+==================
+
+.. container::
+
+   Name
+
+   ssltap — Tap into SSL connections and display the data going by
+
+   Synopsis
+
+   libssltap [-vhfsxl] [-p port] [hostname:port]
+
+   Description
+
+   | The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It
+   | watches TCP connections and displays the data going by. If a connection is
+   | SSL, the data display includes interpreted SSL records and handshaking
+
+   Options
+
+   -v
+
+   Print a version string for the tool.
+
+   -h
+
+   | Turn on hex/ASCII printing. Instead of outputting raw data, the
+   | command interprets each record as a numbered line of hex values,
+   | followed by the same data as ASCII characters. The two parts are
+   | separated by a vertical bar. Nonprinting characters are replaced
+   | by dots.
+
+   -f
+
+   | Turn on fancy printing. Output is printed in colored HTML. Data
+   | sent from the client to the server is in blue; the server's reply
+   | is in red. When used with looping mode, the different connections
+   | are separated with horizontal lines. You can use this option to
+   | upload the output into a browser.
+
+   -s
+
+   | Turn on SSL parsing and decoding. The tool does not automatically
+   | detect SSL sessions. If you are intercepting an SSL connection,
+   | use this option so that the tool can detect and decode SSL
+   | structures.
+
+   | If the tool detects a certificate chain, it saves the DER-encoded
+   | certificates into files in the current directory. The files are
+   | named cert.0x, where x is the sequence number of the certificate.
+
+   | If the -s option is used with -h, two separate parts are printed
+   | for each record: the plain hex/ASCII output, and the parsed SSL
+   | output.
+
+   -x
+
+   | Turn on hex/ASCII printing of undecoded data inside parsed SSL
+   | records. Used only with the -s option. This option uses the same
+   | output format as the -h option.
+
+   -l prefix
+
+   | Turn on looping; that is, continue to accept connections rather
+   | than stopping after the first connection is complete.
+
+   -p port
+
+   Change the default rendezvous port (1924) to another port.
+
+   The following are well-known port numbers:
+
+   \* HTTP 80
+
+   \* HTTPS 443
+
+   \* SMTP 25
+
+   \* FTP 21
+
+   \* IMAP 143
+
+   \* IMAPS 993 (IMAP over SSL)
+
+   \* NNTP 119
+
+   \* NNTPS 563 (NNTP over SSL)
+
+   Usage and Examples
+
+   | You can use the SSL Debugging Tool to intercept any connection
+   | information. Although you can run the tool at its most basic by issuing
+   | the ssltap command with no options other than hostname:port, the
+   | information you get in this way is not very useful. For example, assume
+   | your development machine is called intercept. The simplest way to use the
+   | debugging tool is to execute the following command from a command shell:
+
+   $ ssltap www.netscape.com
+
+   | The program waits for an incoming connection on the default port 1924. In
+   | your browser window, enter the URL http://intercept:1924. The browser
+   | retrieves the requested page from the server at www.netscape.com, but the
+   | page is intercepted and passed on to the browser by the debugging tool on
+   | intercept. On its way to the browser, the data is printed to the command
+   | shell from which you issued the command. Data sent from the client to the
+   | server is surrounded by the following symbols: --> [ data ] Data sent from
+   | the server to the client is surrounded by the following symbols: "left
+   | arrow"-- [ data ] The raw data stream is sent to standard output and is
+   | not interpreted in any way. This can result in peculiar effects, such as
+   | sounds, flashes, and even crashes of the command shell window. To output a
+   | basic, printable interpretation of the data, use the -h option, or, if you
+   | are looking at an SSL connection, the -s option. You will notice that the
+   | page you retrieved looks incomplete in the browser. This is because, by
+   | default, the tool closes down after the first connection is complete, so
+   | the browser is not able to load images. To make the tool continue to
+   | accept connections, switch on looping mode with the -l option. The
+   | following examples show the output from commonly used combinations of
+   | options.
+
+   Example 1
+
+   $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | -->; [
+   | alloclen = 66 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 39 (0x27)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x040080) SSL2/RSA/RC2CBC40/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | (0x000006) SSL3/RSA/RC2CBC40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
+
+   | 0x2592 }
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 16 03 00 03 e5 \|.....
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 997 (0x3e5)
+   | handshake {
+   | 0: 02 00 00 46 \|...F
+   | type = 2 (server_hello)
+   | length = 70 (0x000046)
+   | ServerHello {
+   | server_version = {3, 0}
+   | random = {...}
+   | 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \|
+   | wn&l.ì..XOG.-.E
+   | 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \|
+
+   | \\.uC§L.Ç.d<PAHO.
+   | session ID = {
+   | length = 32
+
+   | contents = {..}
+   | 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 \| ...¨*1.)..@7W.§2
+   | 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 \| VoRbþ=³e±...R£È.
+   | }
+   | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+   | }
+   | 0: 0b 00 02 c5 \|...Å
+   | type = 11 (certificate)
+   | length = 709 (0x0002c5)
+   | CertificateChain {
+   | chainlength = 706 (0x02c2)
+   | Certificate {
+   | size = 703 (0x02bf)
+   | data = { saved in file 'cert.001' }
+   | }
+   | }
+   | 0: 0c 00 00 ca \|....
+   | type = 12 (server_key_exchange)
+   | length = 202 (0x0000ca)
+   | 0: 0e 00 00 00 \|....
+   | type = 14 (server_hello_done)
+   | length = 0 (0x000000)
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 16 03 00 00 44 \|....D
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 68 (0x44)
+   | handshake {
+   | 0: 10 00 00 40 \|...@
+   | type = 16 (client_key_exchange)
+   | length = 64 (0x000040)
+   | ClientKeyExchange {
+   | message = {...}
+   | }
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 14 03 00 00 01 \|.....
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | 0: 01 \|.
+   | }
+   | SSLRecord {
+   | 0: 16 03 00 00 38 \|....8
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | < encrypted >
+
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 14 03 00 00 01 \|.....
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | 0: 01 \|.
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 16 03 00 00 38 \|....8
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | < encrypted >
+
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 17 03 00 01 1f \|.....
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 287 (0x11f)
+   | < encrypted >
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 17 03 00 00 a0 \|....
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 160 (0xa0)
+   | < encrypted >
+
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 17 03 00 00 df \|....ß
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 223 (0xdf)
+   | < encrypted >
+
+   | }
+   | SSLRecord {
+   | 0: 15 03 00 00 12 \|.....
+   | type = 21 (alert)
+   | version = { 3,0 }
+   | length = 18 (0x12)
+   | < encrypted >
+   | }
+   | ]
+   | Server socket closed.
+
+   Example 2
+
+   | The -s option turns on SSL parsing. Because the -x option is not used in
+   | this example, undecoded values are output as raw data. The output is
+   | routed to a text file.
+
+   $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | alloclen = 63 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 36 (0x24)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
+   | 0x3fd0 }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 997 (0x3e5)
+   | handshake {
+   | type = 2 (server_hello)
+   | length = 70 (0x000046)
+   | ServerHello {
+   | server_version = {3, 0}
+   | random = {...}
+   | session ID = {
+   | length = 32
+   | contents = {..}
+   | }
+   | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+   | }
+   | type = 11 (certificate)
+   | length = 709 (0x0002c5)
+   | CertificateChain {
+   | chainlength = 706 (0x02c2)
+   | Certificate {
+   | size = 703 (0x02bf)
+   | data = { saved in file 'cert.001' }
+   | }
+   | }
+   | type = 12 (server_key_exchange)
+   | length = 202 (0x0000ca)
+   | type = 14 (server_hello_done)
+   | length = 0 (0x000000)
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 68 (0x44)
+   | handshake {
+   | type = 16 (client_key_exchange)
+   | length = 64 (0x000040)
+   | ClientKeyExchange {
+   | message = {...}
+   | }
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | }
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | > encrypted >
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | > encrypted >
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 287 (0x11f)
+   | > encrypted >
+   | }
+   | ]
+   | [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 160 (0xa0)
+   | > encrypted >
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 223 (0xdf)
+   | > encrypted >
+   | }
+   | SSLRecord {
+   | type = 21 (alert)
+   | version = { 3,0 }
+   | length = 18 (0x12)
+   | > encrypted >
+   | }
+   | ]
+   | Server socket closed.
+
+   Example 3
+
+   | In this example, the -h option turns hex/ASCII format. There is no SSL
+   | parsing or decoding. The output is routed to a text file.
+
+   $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'.........
+   | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
+   | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á.......
+   | 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R
+   | 40: 6f 2d \|o-
+   | ]
+   | <-- [
+   | 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F.......
+   | 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi;
+   | 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ...
+   | 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw
+   | 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d......
+   | 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0..
+   | 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*.
+   | 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0..
+   | 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U.
+   | 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm
+   | a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo
+   | b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U...
+   | c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U
+   | d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer
+   | e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server
+   | f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103
+   | <additional data lines>
+   | ]
+   | <additional records in same format>
+   | Server socket closed.
+
+   Example 4
+
+   | In this example, the -s option turns on SSL parsing, and the -h option
+   | turns on hex/ASCII format. Both formats are shown for each record. The
+   | output is routed to a text file.
+
+   $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$.........
+   | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
+   | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á.......
+   | 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé
+   | alloclen = 63 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 36 (0x24)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x040080) SSL2/RSA/RC2CBC40/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
+
+   | 0xcfe9 }
+   | }
+   | ]
+   | <additional records in same formats>
+   | Server socket closed.
+
+   Usage Tips
+
+   | When SSL restarts a previous session, it makes use of cached information
+   | to do a partial handshake. If you wish to capture a full SSL handshake,
+   | restart the browser to clear the session id cache.
+
+   | If you run the tool on a machine other than the SSL server to which you
+   | are trying to connect, the browser will complain that the host name you
+   | are trying to connect to is different from the certificate. If you are
+   | using the default BadCert callback, you can still connect through a
+   | dialog. If you are not using the default BadCert callback, the one you
+   | supply must allow for this possibility.
+
+   See Also
+
+   | The NSS Security Tools are also documented at
+   | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+
+   Additional Resources
+
+   | NSS is maintained in conjunction with PKI and security-related projects
+   | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
+   | with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/.
+
+   | For information specifically about NSS, the NSS project wiki is located at
+   | [3]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape and
+   | now with Red Hat and Sun.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   Copyright
+
+   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+
+   References
+
+   | Visible links
+   | 1.
+     `http://www.mozilla.org/projects/secu.../pki/nss/tools <https://www.mozilla.org/projects/security/pki/nss/tools>`__
+   | 2. http://pki.fedoraproject.org/wiki/
+   | 3.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst
new file mode 100644
index 0000000000..64543cf7a3
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst
@@ -0,0 +1,573 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_ssltap:
+
+NSS tools : ssltap
+==================
+
+.. container::
+
+   Name
+
+   ssltap — Tap into SSL connections and display the data going by
+
+   Synopsis
+
+   libssltap [-vhfsxl] [-p port] [hostname:port]
+
+   Description
+
+   | The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It
+   | watches TCP connections and displays the data going by. If a connection is
+   | SSL, the data display includes interpreted SSL records and handshaking
+
+   Options
+
+   -v
+
+   Print a version string for the tool.
+
+   -h
+
+   | Turn on hex/ASCII printing. Instead of outputting raw data, the
+   | command interprets each record as a numbered line of hex values,
+   | followed by the same data as ASCII characters. The two parts are
+   | separated by a vertical bar. Nonprinting characters are replaced
+   | by dots.
+
+   -f
+
+   | Turn on fancy printing. Output is printed in colored HTML. Data
+   | sent from the client to the server is in blue; the server's reply
+   | is in red. When used with looping mode, the different connections
+   | are separated with horizontal lines. You can use this option to
+   | upload the output into a browser.
+
+   -s
+
+   | Turn on SSL parsing and decoding. The tool does not automatically
+   | detect SSL sessions. If you are intercepting an SSL connection,
+   | use this option so that the tool can detect and decode SSL
+   | structures.
+
+   | If the tool detects a certificate chain, it saves the DER-encoded
+   | certificates into files in the current directory. The files are
+   | named cert.0x, where x is the sequence number of the certificate.
+
+   | If the -s option is used with -h, two separate parts are printed
+   | for each record: the plain hex/ASCII output, and the parsed SSL
+   | output.
+
+   -x
+
+   | Turn on hex/ASCII printing of undecoded data inside parsed SSL
+   | records. Used only with the -s option. This option uses the same
+   | output format as the -h option.
+
+   -l prefix
+
+   | Turn on looping; that is, continue to accept connections rather
+   | than stopping after the first connection is complete.
+
+   -p port
+
+   Change the default rendezvous port (1924) to another port.
+
+   The following are well-known port numbers:
+
+   \* HTTP 80
+
+   \* HTTPS 443
+
+   \* SMTP 25
+
+   \* FTP 21
+
+   \* IMAP 143
+
+   \* IMAPS 993 (IMAP over SSL)
+
+   \* NNTP 119
+
+   \* NNTPS 563 (NNTP over SSL)
+
+   Usage and Examples
+
+   | You can use the SSL Debugging Tool to intercept any connection
+   | information. Although you can run the tool at its most basic by issuing
+   | the ssltap command with no options other than hostname:port, the
+   | information you get in this way is not very useful. For example, assume
+   | your development machine is called intercept. The simplest way to use the
+   | debugging tool is to execute the following command from a command shell:
+
+   $ ssltap www.netscape.com
+
+   | The program waits for an incoming connection on the default port 1924. In
+   | your browser window, enter the URL http://intercept:1924. The browser
+   | retrieves the requested page from the server at www.netscape.com, but the
+   | page is intercepted and passed on to the browser by the debugging tool on
+   | intercept. On its way to the browser, the data is printed to the command
+   | shell from which you issued the command. Data sent from the client to the
+   | server is surrounded by the following symbols: --> [ data ] Data sent from
+   | the server to the client is surrounded by the following symbols: "left
+   | arrow"-- [ data ] The raw data stream is sent to standard output and is
+   | not interpreted in any way. This can result in peculiar effects, such as
+   | sounds, flashes, and even crashes of the command shell window. To output a
+   | basic, printable interpretation of the data, use the -h option, or, if you
+   | are looking at an SSL connection, the -s option. You will notice that the
+   | page you retrieved looks incomplete in the browser. This is because, by
+   | default, the tool closes down after the first connection is complete, so
+   | the browser is not able to load images. To make the tool continue to
+   | accept connections, switch on looping mode with the -l option. The
+   | following examples show the output from commonly used combinations of
+   | options.
+
+   Example 1
+
+   $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | -->; [
+   | alloclen = 66 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 39 (0x27)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x040080) SSL2/RSA/RC2CBC40/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | (0x000006) SSL3/RSA/RC2CBC40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
+
+   | 0x2592 }
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 16 03 00 03 e5 \|.....
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 997 (0x3e5)
+   | handshake {
+   | 0: 02 00 00 46 \|...F
+   | type = 2 (server_hello)
+   | length = 70 (0x000046)
+   | ServerHello {
+   | server_version = {3, 0}
+   | random = {...}
+   | 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \|
+   | wn&l.ì..XOG.-.E
+   | 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \|
+
+   | \\.uC§L.Ç.d<PAHO.
+   | session ID = {
+   | length = 32
+
+   | contents = {..}
+   | 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 \| ...¨*1.)..@7W.§2
+   | 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 \| VoRbþ=³e±...R£È.
+   | }
+   | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+   | }
+   | 0: 0b 00 02 c5 \|...Å
+   | type = 11 (certificate)
+   | length = 709 (0x0002c5)
+   | CertificateChain {
+   | chainlength = 706 (0x02c2)
+   | Certificate {
+   | size = 703 (0x02bf)
+   | data = { saved in file 'cert.001' }
+   | }
+   | }
+   | 0: 0c 00 00 ca \|....
+   | type = 12 (server_key_exchange)
+   | length = 202 (0x0000ca)
+   | 0: 0e 00 00 00 \|....
+   | type = 14 (server_hello_done)
+   | length = 0 (0x000000)
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 16 03 00 00 44 \|....D
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 68 (0x44)
+   | handshake {
+   | 0: 10 00 00 40 \|...@
+   | type = 16 (client_key_exchange)
+   | length = 64 (0x000040)
+   | ClientKeyExchange {
+   | message = {...}
+   | }
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 14 03 00 00 01 \|.....
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | 0: 01 \|.
+   | }
+   | SSLRecord {
+   | 0: 16 03 00 00 38 \|....8
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | < encrypted >
+
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 14 03 00 00 01 \|.....
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | 0: 01 \|.
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 16 03 00 00 38 \|....8
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | < encrypted >
+
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | 0: 17 03 00 01 1f \|.....
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 287 (0x11f)
+   | < encrypted >
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 17 03 00 00 a0 \|....
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 160 (0xa0)
+   | < encrypted >
+
+   | }
+   | ]
+   | <-- [
+   | SSLRecord {
+   | 0: 17 03 00 00 df \|....ß
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 223 (0xdf)
+   | < encrypted >
+
+   | }
+   | SSLRecord {
+   | 0: 15 03 00 00 12 \|.....
+   | type = 21 (alert)
+   | version = { 3,0 }
+   | length = 18 (0x12)
+   | < encrypted >
+   | }
+   | ]
+   | Server socket closed.
+
+   Example 2
+
+   | The -s option turns on SSL parsing. Because the -x option is not used in
+   | this example, undecoded values are output as raw data. The output is
+   | routed to a text file.
+
+   $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | alloclen = 63 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 36 (0x24)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
+   | 0x3fd0 }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 997 (0x3e5)
+   | handshake {
+   | type = 2 (server_hello)
+   | length = 70 (0x000046)
+   | ServerHello {
+   | server_version = {3, 0}
+   | random = {...}
+   | session ID = {
+   | length = 32
+   | contents = {..}
+   | }
+   | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+   | }
+   | type = 11 (certificate)
+   | length = 709 (0x0002c5)
+   | CertificateChain {
+   | chainlength = 706 (0x02c2)
+   | Certificate {
+   | size = 703 (0x02bf)
+   | data = { saved in file 'cert.001' }
+   | }
+   | }
+   | type = 12 (server_key_exchange)
+   | length = 202 (0x0000ca)
+   | type = 14 (server_hello_done)
+   | length = 0 (0x000000)
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 68 (0x44)
+   | handshake {
+   | type = 16 (client_key_exchange)
+   | length = 64 (0x000040)
+   | ClientKeyExchange {
+   | message = {...}
+   | }
+   | }
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | }
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | > encrypted >
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 20 (change_cipher_spec)
+   | version = { 3,0 }
+   | length = 1 (0x1)
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 22 (handshake)
+   | version = { 3,0 }
+   | length = 56 (0x38)
+   | > encrypted >
+   | }
+   | ]
+   | --> [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 287 (0x11f)
+   | > encrypted >
+   | }
+   | ]
+   | [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 160 (0xa0)
+   | > encrypted >
+   | }
+   | ]
+   | >-- [
+   | SSLRecord {
+   | type = 23 (application_data)
+   | version = { 3,0 }
+   | length = 223 (0xdf)
+   | > encrypted >
+   | }
+   | SSLRecord {
+   | type = 21 (alert)
+   | version = { 3,0 }
+   | length = 18 (0x12)
+   | > encrypted >
+   | }
+   | ]
+   | Server socket closed.
+
+   Example 3
+
+   | In this example, the -h option turns hex/ASCII format. There is no SSL
+   | parsing or decoding. The output is routed to a text file.
+
+   $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'.........
+   | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
+   | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á.......
+   | 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R
+   | 40: 6f 2d \|o-
+   | ]
+   | <-- [
+   | 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F.......
+   | 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi;
+   | 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ...
+   | 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw
+   | 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d......
+   | 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0..
+   | 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*.
+   | 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0..
+   | 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U.
+   | 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm
+   | a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo
+   | b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U...
+   | c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U
+   | d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer
+   | e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server
+   | f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103
+   | <additional data lines>
+   | ]
+   | <additional records in same format>
+   | Server socket closed.
+
+   Example 4
+
+   | In this example, the -s option turns on SSL parsing, and the -h option
+   | turns on hex/ASCII format. Both formats are shown for each record. The
+   | output is routed to a text file.
+
+   $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt
+
+   Output
+
+   | Connected to interzone.mcom.com:443
+   | --> [
+   | 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$.........
+   | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@......
+   | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á.......
+   | 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé
+   | alloclen = 63 bytes
+   | [ssl2] ClientHelloV2 {
+   | version = {0x03, 0x00}
+   | cipher-specs-length = 36 (0x24)
+   | sid-length = 0 (0x00)
+   | challenge-length = 16 (0x10)
+   | cipher-suites = {
+   | (0x010080) SSL2/RSA/RC4-128/MD5
+   | (0x020080) SSL2/RSA/RC4-40/MD5
+   | (0x030080) SSL2/RSA/RC2CBC128/MD5
+   | (0x040080) SSL2/RSA/RC2CBC40/MD5
+   | (0x060040) SSL2/RSA/DES64CBC/MD5
+   | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+   | (0x000004) SSL3/RSA/RC4-128/MD5
+   | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+   | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+   | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+   | (0x000009) SSL3/RSA/DES64CBC/SHA
+   | (0x000003) SSL3/RSA/RC4-40/MD5
+   | }
+   | session-id = { }
+   | challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
+
+   | 0xcfe9 }
+   | }
+   | ]
+   | <additional records in same formats>
+   | Server socket closed.
+
+   Usage Tips
+
+   | When SSL restarts a previous session, it makes use of cached information
+   | to do a partial handshake. If you wish to capture a full SSL handshake,
+   | restart the browser to clear the session id cache.
+
+   | If you run the tool on a machine other than the SSL server to which you
+   | are trying to connect, the browser will complain that the host name you
+   | are trying to connect to is different from the certificate. If you are
+   | using the default BadCert callback, you can still connect through a
+   | dialog. If you are not using the default BadCert callback, the one you
+   | supply must allow for this possibility.
+
+   See Also
+
+   | The NSS Security Tools are also documented at
+   | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+
+   Additional Resources
+
+   | NSS is maintained in conjunction with PKI and security-related projects
+   | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,
+   | with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/.
+
+   | For information specifically about NSS, the NSS project wiki is located at
+   | [3]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: pki-devel@redhat.com and pki-users@redhat.com
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape and
+   | now with Red Hat and Sun.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   Copyright
+
+   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+
+   References
+
+   | Visible links
+   | 1.
+     `http://www.mozilla.org/projects/secu.../pki/nss/tools <https://www.mozilla.org/projects/security/pki/nss/tools>`__
+   | 2. http://pki.fedoraproject.org/wiki/
+   | 3.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst
new file mode 100644
index 0000000000..e6d92ccd47
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst
@@ -0,0 +1,132 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_vfychain:
+
+NSS tools : vfychain
+====================
+
+.. container::
+
+   Name
+
+   | vfychain — vfychain [options] [revocation options] certfile [[options]
+   | certfile] ...
+
+   Synopsis
+
+   vfychain
+
+   Description
+
+   | The verification Tool, vfychain, verifies certificate chains. modutil can
+   | add and delete PKCS #11 modules, change passwords on security databases,
+   | set defaults, list module contents, enable or disable slots, enable or
+   | disable FIPS 140-2 compliance, and assign default providers for
+   | cryptographic operations. This tool can also create certificate, key, and
+   | module security database files.
+
+   | The tasks associated with security module database management are part of
+   | a process that typically also involves managing key databases and
+   | certificate databases.
+
+   Options
+
+   | -a
+   | the following certfile is base64 encoded
+
+   | -b YYMMDDHHMMZ
+   | Validate date (default: now)
+
+   | -d directory
+   | database directory
+
+   | -f
+   | Enable cert fetching from AIA URL
+
+   | -o oid
+   | Set policy OID for cert validation(Format OID.1.2.3)
+
+   -p
+
+   Use PKIX Library to validate certificate by calling:
+
+   \* CERT_VerifyCertificate if specified once,
+
+   \* CERT_PKIXVerifyCert if specified twice and more.
+
+   | -r
+   | Following certfile is raw binary DER (default)
+
+   | -t
+   | Following cert is explicitly trusted (overrides db trust)
+
+   -u usage
+
+   | 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email
+   | signer, 5=Email recipient, 6=Object signer,
+   | 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
+
+   | -v
+   | Verbose mode. Prints root cert subject(double the argument for
+   | whole root cert info)
+
+   | -w password
+   | Database password
+
+   | -W pwfile
+   | Password file
+
+   | Revocation options for PKIX API (invoked with -pp options) is a
+   | collection of the following flags: [-g type [-h flags] [-m type
+   | [-s flags]] ...] ...
+
+   Where:
+
+   | -g test-type
+   | Sets status checking test type. Possible values are "leaf" or
+   | "chain"
+
+   | -g test type
+   | Sets status checking test type. Possible values are "leaf" or
+   | "chain".
+
+   | -h test flags
+   | Sets revocation flags for the test type it follows. Possible
+   | flags: "testLocalInfoFirst" and "requireFreshInfo".
+
+   | -m method type
+   | Sets method type for the test type it follows. Possible types are
+   | "crl" and "ocsp".
+
+   | -s method flags
+   | Sets revocation flags for the method it follows. Possible types
+   | are "doNotUse", "forbidFetching", "ignoreDefaultSrc",
+   | "requireInfo" and "failIfNoInfo".
+
+   Additional Resources
+
+   | For information about NSS and other tools related to NSS (like JSS), check
+   | out the NSS project wiki at
+   | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape, Red
+   | Hat, and Sun.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   Copyright
+
+   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+
+   References
+
+   | Visible links
+   | 1.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst b/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst
new file mode 100644
index 0000000000..f2c2e9c651
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst
@@ -0,0 +1,50 @@
+.. _mozilla_projects_nss_reference_nss_tools_:_vfyserv:
+
+NSS tools : vfyserv
+===================
+
+.. container::
+
+   Name
+
+   vfyserv — TBD
+
+   Synopsis
+
+   vfyserv
+
+   Description
+
+   The vfyserv tool verifies a certificate chain
+
+   Options
+
+   Additional Resources
+
+   | For information about NSS and other tools related to NSS (like JSS), check
+   | out the NSS project wiki at
+   | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__.
+     The NSS site relates
+   | directly to NSS code changes and releases.
+
+   Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
+
+   IRC: Freenode at #dogtag-pki
+
+   Authors
+
+   | The NSS tools were written and maintained by developers with Netscape, Red
+   | Hat, and Sun.
+
+   | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
+   | <dlackey@redhat.com>.
+
+   Copyright
+
+   (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.
+
+   References
+
+   | Visible links
+   | 1.
+     `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file
diff --git a/security/nss/doc/rst/legacy/reference/troubleshoot/index.rst b/security/nss/doc/rst/legacy/reference/troubleshoot/index.rst
new file mode 100644
index 0000000000..d2b11c30ca
--- /dev/null
+++ b/security/nss/doc/rst/legacy/reference/troubleshoot/index.rst
@@ -0,0 +1,78 @@
+.. _mozilla_projects_nss_reference_troubleshoot:
+
+troubleshoot
+============
+
+.. _troubleshooting_nss_and_jss_builds:
+
+`Troubleshooting NSS and JSS Builds <#troubleshooting_nss_and_jss_builds>`__
+----------------------------------------------------------------------------
+
+.. container::
+
+   Newsgroup: `mozilla.dev.tech.crypto <nntp://news.mozilla.org/mozilla.dev.tech.crypto>`__
+
+   This page summarizes information on troubleshooting the NSS and JSS build and test systems,
+   including known problems and configuration suggestions.
+
+   If you have suggestions for this page, please post them to
+   `mozilla.dev.tech.crypto <nntp://news.mozilla.org/mozilla.dev.tech.crypto>`__.
+
+.. _building_nss:
+
+`Building NSS <#building_nss>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  Having /usr/ucb/bin in the path before /usr/ccs/bin breaks the build on 64-bit Solaris.
+
+   -  The Solaris compiler needs to be workshop-5.0 or greater.
+
+   -  The 64-bit builds don't support gcc.
+
+   -  If the build fails early on the gmakein coreconf try updating your cvs tree with -P:
+      cd mozilla
+      cvs update -P
+
+   -  Building a 32-bit version on a 64-bit may fail with:
+
+      .. code::
+
+         /usr/include/features.h:324:26: fatal error: bits/predefs.h: No such file or directory
+
+      In this case remember to set USE_64=1
+
+.. _testing_nss:
+
+`Testing NSS <#testing_nss>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   The SSL stress test opens 2,048 TCP connections in quick succession. Kernel data structures may
+   remain allocated for these connections for up to two minutes. Some systems may not be configured
+   to allow this many simultaneous connections by default; if the stress tests fail, try increasing
+   the number of simultaneous sockets supported.
+
+.. _building_jss:
+
+`Building JSS <#building_jss>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   -  **Windows Only:** The shell invoked by gmake, ``shmsdos.exe``, is likely to crash when
+      invoking some Java tools on Windows. The current workaround is to use some other shell in
+      place of ``shmsdos``, such as ``sh.exe``, which should be distributed with the `Cygnus
+      toolkit <http://sourceware.cygnus.com/cygwin/download.html>`__ you installed to build NSS. The
+      change is unfortunately rather drastic: to trick gmake, you rename the shell program.
+
+         cd c:/Programs/cygnus/bin *(or wherever your GNU tools are installed)*
+         cp shmsdos.exe shmsdos.bak *(backup shmsdos)*
+         cp sh.exe shmsdos.exe *(substitute alternative shell)*
+
+      Making this change will probably break other builds you are  making on the same machine. You
+      may need to switch the shell back and forthdepending on which product you are building. We
+      will try to provide a moreconvenient solution in the future. If you have the MKS toolkit
+      installed,  the <tt>sh.exe</tt> that comes with this toolkit can be used as well.
\ No newline at end of file