From df29c0dcb6cce6a215dee9dc4e17aff59ae67c5b Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Mon, 11 Mar 2013 10:56:07 +0100 Subject: doc: Move manual into doc/manual subdirectory --- doc/manual/p11-kit-trust.xml | 112 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 doc/manual/p11-kit-trust.xml (limited to 'doc/manual/p11-kit-trust.xml') diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml new file mode 100644 index 0000000..0e06446 --- /dev/null +++ b/doc/manual/p11-kit-trust.xml @@ -0,0 +1,112 @@ + + + +Trust Policy Module + + The trust module provides system certificate anchors, blacklists + and other trust policy to crypto libraries applications. This + information is exposed as PKCS#11 objects. + +
+ Files loaded by the Module + + The trust module loads certificates and trust policy information + from preconfigured directories and allows them to be looked up via + PKCS#11. The directories can be determined with using the following + commands: + + + + System Anchors: certificates in these locations + are automatically treated as certificate authority anchors + unless they contain information that prevents that. To check + which locations are being used, run the following command: + +$ pkg-config --variable p11_system_anchors p11-kit-1 +/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors + + + + System Certificates: certificates in these locations + are not treated as anchors, but simply made available through + the module. To find out which directory is used, run the + following command: + +$ pkg-config --variable p11_system_certificates p11-kit-1 +/etc/pki/tls/other-certs + + + + + Files in the following formats are supported for loading by the + trust policy module: + + + + X.509 certificates + X.509 certificates in raw DER format. + + + OpenSSL trust certificates + OpenSSL specific certificates in PEM format + that contain trust information. These have a + TRUSTED CERTIFICATE PEM header. Both + trust policy and blacklist information can be loaded + from these files. + + +
+ +
+ Using the Trust Policy Module with NSS + + The trust policy module is a drop in replacement for the + libnssckbi.so module and thus works out of + the box with NSS. The trust policy module provides NSS style + PKCS#11 trust objects for NSS to retrieve. + + The module may be used to replace the + libnssckbi.so file via an distribution + specific alternatives mechanism or otherwise. + + Alternatively NSS applications like Firefox or Thunderbird + may be configured to use the trust policy module by adding + the p11-kit-trust.so PKCS#11 module via their + GUI or command line configuration. +
+ +
+ Using the Trust Policy Module with glib-networking + + The trust policy module can be used as a source of trust + information for glib-networking's gnutls-pkcs11 backend. + The module provides PKCS#11 trust assertion objects as expected. + + The module should work by default if the gnutls-pkcs11 + backend is selected as the glib-networking TLS backend. +
+ +
+ Disabling the Trust Policy Module + + This module is installed and enabled by default. It may + be disabled in the following ways: + + + Use the + during the p11-kit + build. + Disable loading trust policy information + from this module by adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + trust-policy: line. + Disable this module completely by + adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + enable-in: line. + + +
+ + -- cgit v1.1