1 files changed, 34 insertions, 27 deletions

diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml
index 0e06446..06f168e 100644
--- a/doc/manual/p11-kit-trust.xml
+++ b/doc/manual/p11-kit-trust.xml
@@ -9,35 +9,16 @@
 	information is exposed as PKCS#11 objects.</para>
 
 <section id="trust-files">
-	<title>Files loaded by the Module</title>
+	<title>Paths loaded by the Module</title>
 
 	<para>The trust module loads certificates and trust policy information
-	from preconfigured directories and allows them to be looked up via
-	PKCS#11. The directories can be determined with using the following
-	commands:</para>
+	from preconfigured paths and allows them to be looked up via PKCS#11.
+	The input paths can be determined with using the following command:</para>
 
-	<itemizedlist>
-		<listitem>
-		<para>System Anchors: certificates in these locations
-		are automatically treated as certificate authority anchors
-		unless they contain information that prevents that. To check
-		which locations are being used, run the following command:</para>
-<programlisting>
-$ pkg-config --variable p11_system_anchors p11-kit-1
-/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
-</programlisting>
-		</listitem>
-		<listitem>
-		<para>System Certificates: certificates in these locations
-		are not treated as anchors, but simply made available through
-		the module. To find out which directory is used, run the
-		following command:</para>
 <programlisting>
-$ pkg-config --variable p11_system_certificates p11-kit-1
-/etc/pki/tls/other-certs
+$ pkg-config --variable p11_trust_paths p11-kit-1
+/usr/share/p11-kit/trust:/etc/pki/trust
 </programlisting>
-		</listitem>
-	</itemizedlist>
 
 	<para>Files in the following formats are supported for loading by the
 	trust policy module:</para>
@@ -45,17 +26,43 @@ $ pkg-config --variable p11_system_certificates p11-kit-1
 	<variablelist>
 		<varlistentry>
 			<term>X.509 certificates</term>
-			<listitem><para>X.509 certificates in raw DER format.</para></listitem>
+			<listitem><para>X.509 certificates in raw DER format. Does not
+			automatically contain trust policy information.</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>PEM certificates</term>
+			<listitem><para>X.509 certificates in PEM format. These have a
+			<literal>BEGIN CERTIFICATE</literal> header. This file does not
+			automatically contain trust policy information.</para></listitem>
 		</varlistentry>
 		<varlistentry>
 			<term>OpenSSL trust certificates</term>
 			<listitem><para>OpenSSL specific certificates in PEM format
 			that contain trust information. These have a
-			<literal>TRUSTED CERTIFICATE</literal> PEM header. Both
-			trust policy and blacklist information can be loaded
+			<literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both
+			trust anchor and blacklist information can be loaded
 			from these files.</para></listitem>
 		</varlistentry>
 	</variablelist>
+
+	<para>If the input path is a file, then it is loaded. Certificate(s) in the
+	file are automatically treated as anchors, unless they contain alternate
+	trust policy information.</para>
+
+	<para>If the input path is a directory, files inside that directory are
+	parsed and loaded. If the file contains trust policy information (such as the
+	OpenSSL trust certificates) then it will be respected. Files without trust policy
+	information are not automatically marked as an anchor or blacklisted.</para>
+
+	<para>In addition two optional subdirectories of the input path are loaded. Files
+	placed in the <literal>anchors/</literal> subdirectory become trust anchors
+	when they do not contain trust policy information. Files placed in the
+	<literal>blacklist/</literal> subdirectory are blacklisted whether they
+	contain trust information or not.</para>
+
+	<para>The first input path becomes the first PKCS#11 token of the trust
+	module, and has the highest priority when callers search for trust
+	policy information.</para>
 </section>
 
 <section id="trust-nss">