From 5147d71466455b3d087b3f3a7472a35e8216c55a Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Thu, 24 Jan 2013 11:34:47 +0100 Subject: Add basic trust module This is based off the roots-store from gnome-keyring and loads certificates from a root directory and exposes them as PKCS#11 objects. --- doc/p11-kit-trust.xml | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 doc/p11-kit-trust.xml (limited to 'doc/p11-kit-trust.xml') diff --git a/doc/p11-kit-trust.xml b/doc/p11-kit-trust.xml new file mode 100644 index 0000000..7496f7b --- /dev/null +++ b/doc/p11-kit-trust.xml @@ -0,0 +1,90 @@ + + + +Trust Policy Module + + The trust module provides system certificate anchors, blacklists + and other trust policy to crypto libraries applications. This + information is exposed as PKCS#11 objects. + +
+ Files loaded by the Module + + The trust module loads certificates and trust policy information + from preconfigured directories and allows them to be looked up via + PKCS#11. The directories can be determined with using the following + commands: + + + + System Anchors: certificates in these locations + are automatically treated as certificate authority anchors + unless they contain information that prevents that. To check + which locations are being used, run the following command: + +$ pkg-config --variable p11_system_anchors p11-kit-1 +/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors + + + + System Certificates: certificates in these locations + are not treated as anchors, but simply made available through + the module. To find out which directory is used, run the + following command: + +$ pkg-config --variable p11_system_certificates p11-kit-1 +/etc/pki/tls/other-certs + + + + + Files in the following formats are supported for loading by the + trust policy module: + + + + X.509 certificates + X.509 certificates in raw DER format. + + +
+ +
+ Using the Trust Policy Module with NSS + + The trust policy module is a drop in replacement for the + libnssckbi.so module and thus works out of + the box with NSS. The module may be used to replace the + libnssckbi.so file via an distribution + specific alternatives mechanism or otherwise. + + Alternatively NSS applications like Firefox or Thunderbird + may be configured to use the trust policy module by adding + the p11-kit-trust.so PKCS#11 module via their + GUI or command line configuration. +
+ +
+ Disabling the Trust Policy Module + + This module is installed and enabled by default. It may + be disabled in the following ways: + + + Use the + during the p11-kit + build. + Disable loading trust policy information + from this module by adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + trust-policy: line. + Disable this module completely by + adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + enable-in: line. + + +
+ + -- cgit v1.1