2. EL 6 ELS
  3. p11-kit
  4. p11-kit(8)

Scroll to navigation

P11-KIT(8) System Commands P11-KIT(8)

NAME

p11-kit - Tool for operating on configured PKCS#11 modules

SYNOPSIS

p11-kit list-modules

p11-kit extract --filter=<what> --format=<type> /path/to/destination

DESCRIPTION

p11-kit is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

See the various sub commands below. The following global options can be used:

-v, --verbose

Run in verbose mode with debug output.

-q, --quiet

Run in quiet mode without warning or failure messages.

LIST MODULES

List system configured PKCS#11 modules.

$ p11-kit list-modules

The modules, information about them and the tokens present in the PKCS#11 modules will be displayed.

EXTRACT

Extract certificates from configured PKCS#11 modules.

$ p11-kit extract --format=x509-directory --filter=ca-anchors /path/to/directory

You can specify the following options to control what to extract. The --filter and --format arguments should be specified. By default this command will not overwrite the destination file or directory.

--comment

Add identifying comments to PEM bundle output files before each certificate.

--filter=<what>

Specifies what certificates to extract. You can specify the following values:

ca-anchors

Certificate anchors (default)

trust-policy

Anchors and blacklist

blacklist

Blacklisted certificates

certificates

All certificates

pkcs11:object=xx

A PKCS#11 URI

If an output format is chosen that cannot support type what has been specified by the filter, a message will be printed.

None of the available formats support storage of blacklist entries that do not contain a full certificate. Thus any certificates blacklisted by their issuer and serial number alone, are not included in the extracted blacklist.

--format=<type>

The format of the destination file or directory. You can specify one of the following values:

x509-file

DER X.509 certificate file

x509-directory

directory of X.509 certificates

pem-bundle

File containing one or more certificate PEM blocks

pem-directory

Directory PEM files each containing one certifiacte

openssl-bundle

OpenSSL specific PEM bundle of certificates

openssl-directory

Directory of OpenSSL specific PEM files

java-cacerts

Java keystore ´cacerts´ certificate bundle

--overwrite

Overwrite output file or directory.

--purpose=<usage>

Limit to certificates usable for the given purpose You can specify one of the following values:

server-auth

For authenticating servers

client-auth

For authenticating clients

email

For email protection

code-signing

For authenticated signed code

1.2.3.4.5...

An arbitrary purpose OID

EXTRACT TRUST

Extract standard trust information files.

$ p11-kit extract-trust

OpenSSL, GnuTLS and Java cannot currently read trust information directly from the trust policy module. This command extracts trust information such as certificate anchors for use by these libraries.

What this command does, and where it extracts the files is distribution or site specific. Packagers or administrators are expected customize this command.

BUGS

Please send bug reports to either the distribution bug tracker or the upstream bug tracker at https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.

SEE ALSO

pkcs11.conf(5)

Further details available in the p11-kit online documentation at http://p11-glue.freedesktop.org/doc/p11-kit/.

p11-kit