1TRUST(1)                         User Commands                        TRUST(1)
2
3
4

NAME

6       trust - Tool for operating on the trust policy store
7

SYNOPSIS

9       trust list
10
11       trust extract --filter=<what> --format=<type> /path/to/destination
12
13
14       trust anchor /path/to/certificate.crt
15
16       trust dump
17

DESCRIPTION

19       trust is a command line tool to examine and modify the shared trust
20       policy store.
21
22       See the various sub commands below. The following global options can be
23       used:
24
25       -v, --verbose
26           Run in verbose mode with debug output.
27
28       -q, --quiet
29           Run in quiet mode without warning or failure messages.
30

LIST

32       List trust policy store items.
33
34           $ trust list
35
36       List information about the various items in the trust policy store.
37       Each item is listed with it's PKCS#11 URI and some descriptive
38       information.
39
40       You can specify the following options to control what to list.
41
42       --filter=<what>
43           Specifies what certificates to extract. You can specify the
44           following values:
45
46           ca-anchors
47               Certificate anchors
48
49           trust-policy
50               Anchors and blocklist (default)
51
52           blocklist
53               Distrusted certificates
54
55           certificates
56               All certificates
57
58           pkcs11:object=xx
59               A PKCS#11 URI to filter with
60
61           If an output format is chosen that cannot support type what has
62           been specified by the filter, a message will be printed.
63
64           None of the available formats support storage of blocklist entries
65           that do not contain a full certificate. Thus any certificates
66           distrusted by their issuer and serial number alone, are not
67           included in the extracted blocklist.
68
69       --purpose=<usage>
70           Limit to certificates usable for the given purpose You can specify
71           one of the following values:
72
73           server-auth
74               For authenticating servers
75
76           client-auth
77               For authenticating clients
78
79           email
80               For email protection
81
82           code-signing
83               For authenticated signed code
84
85           1.2.3.4.5...
86               An arbitrary purpose OID
87
88

ANCHOR

90       Store or remove trust anchors.
91
92           $ trust anchor /path/to/certificate.crt
93           $ trust anchor --remove /path/to/certificate.crt
94           $ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
95
96       Store or remove trust anchors in the trust policy store. These are
97       usually root certificate authorities.
98
99       Specify either the --store or --remove operations. If no operation is
100       specified then --store is assumed.
101
102       When storing, one or more certificate files are expected on the command
103       line. These are stored as anchors, unless they are already present.
104
105       When removing an anchor, either specify certificate files or PKCS#11
106       URI's on the command line. Matching anchors will be removed.
107
108       It may be that this command needs to be run as root in order to modify
109       the system trust policy store, if no user specific store is available.
110
111       You can specify the following options.
112
113       --remove
114           Remove one or more anchors from the trust policy store. Specify
115           certificate files or PKCS#11 URI's on the command line.
116
117       --store
118           Store one or more anchors to the trust policy store. Specify
119           certificate files on the command line.
120

EXTRACT

122       Extract trust policy from the shared trust policy store.
123
124           $ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory
125
126       You can specify the following options to control what to extract. The
127       --filter and --format arguments should be specified. By default this
128       command will not overwrite the destination file or directory.
129
130       --comment
131           Add identifying comments to PEM bundle output files before each
132           certificate.
133
134       --filter=<what>
135           Specifies what certificates to extract. You can specify the
136           following values:
137
138           ca-anchors
139               Certificate anchors (default)
140
141           trust-policy
142               Anchors and blocklist
143
144           blocklist
145               Distrusted certificates
146
147           certificates
148               All certificates
149
150           pkcs11:object=xx
151               A PKCS#11 URI
152
153           If an output format is chosen that cannot support type what has
154           been specified by the filter, a message will be printed.
155
156           None of the available formats support storage of blocklist entries
157           that do not contain a full certificate. Thus any certificates
158           distrusted by their issuer and serial number alone, are not
159           included in the extracted blocklist.
160
161       --format=<type>
162           The format of the destination file or directory. You can specify
163           one of the following values:
164
165           x509-file
166               DER X.509 certificate file
167
168           x509-directory
169               directory of X.509 certificates
170
171           pem-bundle
172               File containing one or more certificate PEM blocks
173
174           pem-directory
175               Directory of PEM files each containing one certificate
176
177           pem-directory-hash
178               Directory of PEM files each containing one certificate, with
179               hash symlinks
180
181           openssl-bundle
182               OpenSSL specific PEM bundle of certificates
183
184           openssl-directory
185               Directory of OpenSSL specific PEM files
186
187           java-cacerts
188               Java keystore 'cacerts' certificate bundle
189
190
191       --overwrite
192           Overwrite output file or directory.
193
194       --purpose=<usage>
195           Limit to certificates usable for the given purpose You can specify
196           one of the following values:
197
198           server-auth
199               For authenticating servers
200
201           client-auth
202               For authenticating clients
203
204           email
205               For email protection
206
207           code-signing
208               For authenticated signed code
209
210           1.2.3.4.5...
211               An arbitrary purpose OID
212
213

EXTRACT COMPAT

215       Extract compatibility trust certificate bundles.
216
217           $ trust extract-compat
218
219       OpenSSL, Java and some versions of GnuTLS cannot currently read trust
220       information directly from the trust policy store. This command extracts
221       trust information such as certificate anchors for use by these
222       libraries.
223
224       What this command does, and where it extracts the files is distribution
225       or site specific. Packagers or administrators are expected customize
226       this command.
227

DUMP

229       Dump PKCS#11 items in the various tokens.
230
231           $ trust dump
232
233       Dump information about the various PKCS#11 items in the tokens. Each
234       item is dumped with it's PKCS#11 URI and information in the .p11-kit
235       persistence format.
236
237       You can specify the following options to control what to dump.
238
239       --filter=<what>
240           Specifies what certificates to extract. You can specify the
241           following values:
242
243           all
244               All objects. This is the default
245
246           pkcs11:object=xx
247               A PKCS#11 URI to filter with
248
249

BUGS

251       Please send bug reports to either the distribution bug tracker or the
252       upstream bug tracker at https://github.com/p11-glue/p11-kit/issues/.
253

SEE ALSO

255       p11-kit(8)
256
257       An explanatory document about storing trust policy:
258       https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/
259
260       Further details available in the p11-kit online documentation at
261       https://p11-glue.github.io/p11-glue/p11-kit/manual/.
262
263
264
265p11-kit                                                               TRUST(1)
Impressum