P11-KIT(8) System Commands P11-KIT(8)NAME
p11-kit - Tool for operating on configured PKCS#11 modules
SYNOPSIS
p11-kit list-modules
p11-kit extract --filter=<what> --format=<type> /path/to/destination
DESCRIPTION
p11-kit is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.
See the various sub commands below. The following global options can be used:
-v, --verbose
Run in verbose mode with debug output.
-q, --quiet
Run in quiet mode without warning or failure messages.
LIST MODULES
List system configured PKCS#11 modules.
$ p11-kit list-modules
The modules, information about them and the tokens present in the PKCS#11 modules will be displayed.
EXTRACT
Extract certificates from configured PKCS#11 modules.
$ p11-kit extract --format=x509-directory --filter=ca-anchors /path/to/directory
You can specify the following options to control what to extract. The --filter and --format arguments should be specified. By default this
command will not overwrite the destination file or directory.
--comment
Add identifying comments to PEM bundle output files before each certificate.
--filter=<what>
Specifies what certificates to extract. You can specify the following values:
ca-anchors
Certificate anchors (default)
trust-policy
Anchors and blacklist
blacklist
Blacklisted certificates
certificates
All certificates
pkcs11:object=xx
A PKCS#11 URI
If an output format is chosen that cannot support type what has been specified by the filter, a message will be printed.
None of the available formats support storage of blacklist entries that do not contain a full certificate. Thus any certificates
blacklisted by their issuer and serial number alone, are not included in the extracted blacklist.
--format=<type>
The format of the destination file or directory. You can specify one of the following values:
x509-file
DER X.509 certificate file
x509-directory
directory of X.509 certificates
pem-bundle
File containing one or more certificate PEM blocks
pem-directory
Directory PEM files each containing one certifiacte
openssl-bundle
OpenSSL specific PEM bundle of certificates
openssl-directory
Directory of OpenSSL specific PEM files
java-cacerts
Java keystore 'cacerts' certificate bundle
--overwrite
Overwrite output file or directory.
--purpose=<usage>
Limit to certificates usable for the given purpose You can specify one of the following values:
server-auth
For authenticating servers
client-auth
For authenticating clients
email
For email protection
code-signing
For authenticated signed code
1.2.3.4.5...
An arbitrary purpose OID
EXTRACT TRUST
Extract standard trust information files.
$ p11-kit extract-trust
OpenSSL, GnuTLS and Java cannot currently read trust information directly from the trust policy module. This command extracts trust
information such as certificate anchors for use by these libraries.
What this command does, and where it extracts the files is distribution or site specific. Packagers or administrators are expected
customize this command.
BUGS
Please send bug reports to either the distribution bug tracker or the upstream bug tracker at
https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.
SEE ALSO pkcs11.conf(5)
Further details available in the p11-kit online documentation at http://p11-glue.freedesktop.org/doc/p11-kit/.
p11-kit P11-KIT(8)
Check Out this Related Man Page
PKCS11.CONF(5) System Files PKCS11.CONF(5)NAME
pkcs11.conf - Configuration files for PKCS#11 modules
DESCRIPTION
The pkcs11.conf configuration files are a standard way to configure PKCS#11 modules.
FILE FORMAT
A complete configuration consists of several files. These files are text files. Since p11-kit is built to be used in all sorts of
environments and at very low levels of the software stack, we cannot make use of high level configuration APIs that you may find on a
modern desktop.
Each setting in the config file is specified consists of a name and a value. The name is a simple string consisting of characters and
dashes. The name consists of alpha numeric characters, dot, hyphen and underscore.
The value is specified after the name on the same line, separated from it by a : (colon). White space between the name and value is
ignored.
Blank lines are ignored. White space at the beginning or end of lines is stripped. Lines that begin with a # character are ignored as
comments. Comments are not recognized when they come after a value on a line.
A fictitious module configuration file might look like:
module: module.so
# Here is a comment
managed: true
setting.2: A long value with text.
x-custom : text
MODULE CONFIGURATION
Each configured PKCS#11 module has its own config file. These files can be placed in various locations.
The filename of the configuration file may consist of upper and lowercase letters underscore, comma, dash and dots. The first characters
needs to be an alphanumeric, the filename should end with a .module extension.
Most importantly each config file specifies the path of the PKCS#11 module to load. A module config file has the following fields:
module:
The filename of the PKCS#11 module to load. This should include an extension like .so
If this value is blank, then the module will be ignored. This can be used in the user configs to override loading of a module specified
in the system configuration.
If this is a relative path, then the module will be loaded from the default module directory.
critical:
Set to yes if the module is critical and required to load. If a critical module fails to load or initialize, then the loading process
for all registered modules will abort and return an error code.
This argument is optional and defaults to no.
enable-in:
A comma and/or space separated list of names of programs that this module should only be loaded in. The module will not be loaded for
other programs using p11-kit. The base name of the process executable should be used here, for example seahorse, ssh.
This is not a security feature. The argument is optional. If not present, then any process will load the module.
disable-in:
A comma and/or space separated list of names of programs that this module should not be loaded in. The module will be loaded for any
other programs using p11-kit. The base name of the process executable should be used here, for example firefox, thunderbird-bin.
This is not a security feature. The argument is optional. If not present, then any process will load the module.
priority:
The value should be an integer. When lists of modules are returned to a caller of p11-kit, modules with a higher number are sorted
first. When applications search modules for for certificates, keys and trust policy information, this setting will affect what find
first.
This argument is optional, and defaults to zero. Modules with the same priority option will be sorted alphabetically.
trust-policy:
Set to yes to use use this module as a source of trust policy information such as certificate anchors and black lists.
Do not specify both enable-in and disable-in for the same module.
Other fields may be present, but it is recommended that field names that are not specified in this document start with a x- prefix.
GLOBAL CONFIGURATION
A global configuration may also be present. This file contains settings that are not related to a single PKCS#11 module. The location(s) of
the global configuration are described below. The global configuration file can contain the following fields:
user-config:
This will be equal to one of the following values: none, merge, only.
Other fields may be present, but it is recommended that field names that are not specified in this document start with a x- prefix.
CONFIGURATION FILES
Each configured PKCS#11 module is has its own config file. These files are placed in a directory. In addition a global config file exists.
There is a system configuration consisting of the various module config files and a file for global configuration. Optionally each user can
provide additional configuration or override the system configuration.
The system global configuration file is usually in /etc/pkcs11/pkcs11.conf and the user global configuration file is in
/data/.pkcs11/pkcs11.conf in the user's home directory.
The module config files are usually located in the /etc/pkcs11/modules directory, with one configuration file per module. In addition the
/data/.pkcs11/modules directory can be used for modules installed by the user.
Note that user configuration files are not loaded from the home directory if running inside a setuid or setgid program.
The default system config file and module directory can be changed when building p11-kit. Always lookup these paths using pkg-config.
SEE ALSO p11-kit(8)
Further details available in the p11-kit online documentation at http://p11-glue.freedesktop.org/doc/p11-kit/.
p11-kit PKCS11.CONF(5)