The trust module provides system certificate anchors, blacklists and other trust policy to crypto libraries applications. This information is exposed as PKCS#11 objects.

The trust module loads certificates and trust policy information from preconfigured paths and allows them to be looked up via PKCS#11. The input paths can be determined with using the following command: $ pkg-config --variable p11_trust_paths p11-kit-1 /usr/share/p11-kit/trust:/etc/pki/trust Files in the following formats are supported for loading by the trust policy module: X.509 certificates X.509 certificates in raw DER format. Does not automatically contain trust policy information. PEM certificates X.509 certificates in PEM format. These have a BEGIN CERTIFICATE header. This file does not automatically contain trust policy information. OpenSSL trust certificates OpenSSL specific certificates in PEM format that contain trust information. These have a BEGIN TRUSTED CERTIFICATE PEM header. Both trust anchor and blacklist information can be loaded from these files. If the input path is a file, then it is loaded. Certificate(s) in the file are automatically treated as anchors, unless they contain alternate trust policy information. If the input path is a directory, files inside that directory are parsed and loaded. If the file contains trust policy information (such as the OpenSSL trust certificates) then it will be respected. Files without trust policy information are not automatically marked as an anchor or blacklisted. In addition two optional subdirectories of the input path are loaded. Files placed in the anchors/ subdirectory become trust anchors when they do not contain trust policy information. Files placed in the blacklist/ subdirectory are blacklisted whether they contain trust information or not. The first input path becomes the first PKCS#11 token of the trust module, and has the highest priority when callers search for trust policy information.

The trust policy module is a drop in replacement for the libnssckbi.so module and thus works out of the box with NSS. The trust policy module provides NSS style PKCS#11 trust objects for NSS to retrieve. The module may be used to replace the libnssckbi.so file via an distribution specific alternatives mechanism or otherwise. Alternatively NSS applications like Firefox or Thunderbird may be configured to use the trust policy module by adding the p11-kit-trust.so PKCS#11 module via their GUI or command line configuration.

The trust policy module can be used as a source of trust information for glib-networking's gnutls-pkcs11 backend. The module provides PKCS#11 trust assertion objects as expected. The module should work by default if the gnutls-pkcs11 backend is selected as the glib-networking TLS backend.

This module is installed and enabled by default. It may be disabled in the following ways: Use the --disable-trust-module during the p11-kit build. Disable loading trust policy information from this module by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a trust-policy: no line. Disable this module completely by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a enable-in: line (without a value).