1P11-KIT(8) System Commands P11-KIT(8)
2
6 p11-kit - Tool for operating on configured PKCS#11 modules
7
9 p11-kit list-modules
10 p11-kit extract --filter=<what> --format=<type> /path/to/destination
12
15 p11-kit is a command line tool that can be used to perform operations
16 on PKCS#11 modules configured on the system.
17 See the various sub commands below. The following global options can be
19 used:
20 -v, --verbose
22 Run in verbose mode with debug output.
23 -q, --quiet
25 Run in quiet mode without warning or failure messages.
26
28 List system configured PKCS#11 modules.
29 $ p11-kit list-modules
31 The modules, information about them and the tokens present in the
33 PKCS#11 modules will be displayed.
34
36 Extract certificates from configured PKCS#11 modules.
37 $ p11-kit extract --format=x509-directory --filter=ca-anchors /path/to/directory
39 You can specify the following options to control what to extract. The
41 --filter and --format arguments should be specified. By default this
42 command will not overwrite the destination file or directory.
43 --comment
45 Add identifying comments to PEM bundle output files before each
46 certificate.
47 --filter=<what>
49 Specifies what certificates to extract. You can specify the
50 following values:
51 ca-anchors
53 Certificate anchors (default)
54 trust-policy
56 Anchors and blacklist
57 blacklist
59 Blacklisted certificates
60 certificates
62 All certificates
63 pkcs11:object=xx
65 A PKCS#11 URI
66 If an output format is chosen that cannot support type what has
68 been specified by the filter, a message will be printed.
69 None of the available formats support storage of blacklist entries
71 that do not contain a full certificate. Thus any certificates
72 blacklisted by their issuer and serial number alone, are not
73 included in the extracted blacklist.
74 --format=<type>
76 The format of the destination file or directory. You can specify
77 one of the following values:
78 x509-file
80 DER X.509 certificate file
81 x509-directory
83 directory of X.509 certificates
84 pem-bundle
86 File containing one or more certificate PEM blocks
87 pem-directory
89 Directory PEM files each containing one certifiacte
90 openssl-bundle
92 OpenSSL specific PEM bundle of certificates
93 openssl-directory
95 Directory of OpenSSL specific PEM files
96 java-cacerts
98 Java keystore ´cacerts´ certificate bundle
99 --overwrite
102 Overwrite output file or directory.
103 --purpose=<usage>
105 Limit to certificates usable for the given purpose You can specify
106 one of the following values:
107 server-auth
109 For authenticating servers
110 client-auth
112 For authenticating clients
113 email
115 For email protection
116 code-signing
118 For authenticated signed code
119 1.2.3.4.5...
121 An arbitrary purpose OID
122
125 Extract standard trust information files.
126 $ p11-kit extract-trust
128 OpenSSL, GnuTLS and Java cannot currently read trust information
130 directly from the trust policy module. This command extracts trust
131 information such as certificate anchors for use by these libraries.
132 What this command does, and where it extracts the files is distribution
134 or site specific. Packagers or administrators are expected customize
135 this command.
136
138 Please send bug reports to either the distribution bug tracker or the
139 upstream bug tracker at
140 https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.
141
143 pkcs11.conf(5)
144 Further details available in the p11-kit online documentation at
146 http://p11-glue.freedesktop.org/doc/p11-kit/.
147p11-kit P11-KIT(8)