1TRUST(1)                         User Commands                        TRUST(1)
2
3
4

NAME

6       trust - Tool for operating on the trust policy store
7

SYNOPSIS

9       trust list
10
11       trust extract --filter=<what> --format=<type> /path/to/destination
12
13
14       trust anchor /path/to/certificate.crt
15
16       trust dump
17
18       trust check-format /path/to/file.p11-kit...
19

DESCRIPTION

21       trust is a command line tool to examine and modify the shared trust
22       policy store.
23
24       See the various sub commands below. The following global options can be
25       used:
26
27       -v, --verbose
28           Run in verbose mode with debug output.
29
30       -q, --quiet
31           Run in quiet mode without warning or failure messages.
32

LIST

34       List trust policy store items.
35
36           $ trust list
37
38       List information about the various items in the trust policy store.
39       Each item is listed with it's PKCS#11 URI and some descriptive
40       information.
41
42       You can specify the following options to control what to list.
43
44       --filter=<what>
45           Specifies what certificates to extract. You can specify the
46           following values:
47
48           ca-anchors
49               Certificate anchors
50
51           trust-policy
52               Anchors and blocklist (default)
53
54           blocklist
55               Distrusted certificates
56
57           certificates
58               All certificates
59
60           pkcs11:object=xx
61               A PKCS#11 URI to filter with
62
63           If an output format is chosen that cannot support type what has
64           been specified by the filter, a message will be printed.
65
66           None of the available formats support storage of blocklist entries
67           that do not contain a full certificate. Thus any certificates
68           distrusted by their issuer and serial number alone, are not
69           included in the extracted blocklist.
70
71       --purpose=<usage>
72           Limit to certificates usable for the given purpose You can specify
73           one of the following values:
74
75           server-auth
76               For authenticating servers
77
78           client-auth
79               For authenticating clients
80
81           email
82               For email protection
83
84           code-signing
85               For authenticated signed code
86
87           1.2.3.4.5...
88               An arbitrary purpose OID
89
90

ANCHOR

92       Store or remove trust anchors.
93
94           $ trust anchor /path/to/certificate.crt
95           $ trust anchor --remove /path/to/certificate.crt
96           $ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
97
98       Store or remove trust anchors in the trust policy store. These are
99       usually root certificate authorities.
100
101       Specify either the --store or --remove operations. If no operation is
102       specified then --store is assumed.
103
104       When storing, one or more certificate files are expected on the command
105       line. These are stored as anchors, unless they are already present.
106
107       When removing an anchor, either specify certificate files or PKCS#11
108       URI's on the command line. Matching anchors will be removed.
109
110       It may be that this command needs to be run as root in order to modify
111       the system trust policy store, if no user specific store is available.
112
113       You can specify the following options.
114
115       --remove
116           Remove one or more anchors from the trust policy store. Specify
117           certificate files or PKCS#11 URI's on the command line.
118
119       --store
120           Store one or more anchors to the trust policy store. Specify
121           certificate files on the command line.
122

EXTRACT

124       Extract trust policy from the shared trust policy store.
125
126           $ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory
127
128       You can specify the following options to control what to extract. The
129       --filter and --format arguments should be specified. By default this
130       command will not overwrite the destination file or directory.
131
132       --comment
133           Add identifying comments to PEM bundle output files before each
134           certificate.
135
136       --filter=<what>
137           Specifies what certificates to extract. You can specify the
138           following values:
139
140           ca-anchors
141               Certificate anchors (default)
142
143           trust-policy
144               Anchors and blocklist
145
146           blocklist
147               Distrusted certificates
148
149           certificates
150               All certificates
151
152           pkcs11:object=xx
153               A PKCS#11 URI
154
155           If an output format is chosen that cannot support type what has
156           been specified by the filter, a message will be printed.
157
158           None of the available formats support storage of blocklist entries
159           that do not contain a full certificate. Thus any certificates
160           distrusted by their issuer and serial number alone, are not
161           included in the extracted blocklist.
162
163       --format=<type>
164           The format of the destination file or directory. You can specify
165           one of the following values:
166
167           x509-file
168               DER X.509 certificate file
169
170           x509-directory
171               directory of X.509 certificates
172
173           pem-bundle
174               File containing one or more certificate PEM blocks
175
176           pem-directory
177               Directory of PEM files each containing one certificate
178
179           pem-directory-hash
180               Directory of PEM files each containing one certificate, with
181               hash symlinks
182
183           openssl-bundle
184               OpenSSL specific PEM bundle of certificates
185
186           openssl-directory
187               Directory of OpenSSL specific PEM files
188
189           java-cacerts
190               Java keystore 'cacerts' certificate bundle
191
192
193       --overwrite
194           Overwrite output file or directory.
195
196       --purpose=<usage>
197           Limit to certificates usable for the given purpose You can specify
198           one of the following values:
199
200           server-auth
201               For authenticating servers
202
203           client-auth
204               For authenticating clients
205
206           email
207               For email protection
208
209           code-signing
210               For authenticated signed code
211
212           1.2.3.4.5...
213               An arbitrary purpose OID
214
215

EXTRACT COMPAT

217       Extract compatibility trust certificate bundles.
218
219           $ trust extract-compat
220
221       OpenSSL, Java and some versions of GnuTLS cannot currently read trust
222       information directly from the trust policy store. This command extracts
223       trust information such as certificate anchors for use by these
224       libraries.
225
226       What this command does, and where it extracts the files is distribution
227       or site specific. Packagers or administrators are expected customize
228       this command.
229

DUMP

231       Dump PKCS#11 items in the various tokens.
232
233           $ trust dump
234
235       Dump information about the various PKCS#11 items in the tokens. Each
236       item is dumped with it's PKCS#11 URI and information in the .p11-kit
237       persistence format.
238
239       You can specify the following options to control what to dump.
240
241       --filter=<what>
242           Specifies what certificates to extract. You can specify the
243           following values:
244
245           all
246               All objects. This is the default
247
248           pkcs11:object=xx
249               A PKCS#11 URI to filter with
250
251

CHECK FORMAT

253       Check the format of .p11-kit files.
254
255           $ trust check-format /path/to/file.p11-kit...
256
257       Administrators sometimes need to write a custom .p11-kit file to amend
258       the trust information. This is an error prone process as the file
259       format is mainly for machine processing. Administrators can use this
260       command to check whether a file has a correct .p11-kit format.
261
262       This command takes an arbitrary number of files as an input. Each file
263       is then analysed and any mismatch with the .p11-kit format is reported
264       on the standard error output. After the file is processed a check
265       result is printed on the standard output.
266

BUGS

268       Please send bug reports to either the distribution bug tracker or the
269       upstream bug tracker at https://github.com/p11-glue/p11-kit/issues/.
270

SEE ALSO

272       p11-kit(8)
273
274       An explanatory document about storing trust policy:
275       https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/
276
277       Further details available in the p11-kit online documentation at
278       https://p11-glue.github.io/p11-glue/p11-kit/manual/.
279
280
281
282p11-kit                                                               TRUST(1)
Impressum