p11-kitp11-kitMaintainerStefWalterstef@thewalter.netp11-kit8System Commandsp11-kitTool for operating on configured PKCS#11 modulesp11-kit list-modulesp11-kit extract--filter=<what>--format=<type> /path/to/destination
Descriptionp11-kit is a command line tool that
can be used to perform operations on PKCS#11 modules configured on the
system.See the various sub commands below. The following global options
can be used:Run in verbose mode with debug
output.Run in quiet mode without warning or
failure messages.List ModulesList system configured PKCS#11 modules.
$ p11-kit list-modules
The modules, information about them and the tokens present in
the PKCS#11 modules will be displayed.ExtractExtract certificates from configured PKCS#11 modules.
$ p11-kit extract --format=x509-directory --filter=ca-certificates /path/to/directory
You can specify the following options to control what to extract.
The and arguments
should be specified. By default this command will not overwrite the
destination file or directory.Add identifying comments to PEM bundle output files
before each certificate.Specifies what certificates to extract. You can specify the following values:
Certificate anchors (default)Anchors and blacklistBlacklisted certificatesAll certificatesA PKCS#11 URIIf an output format is chosen that cannot support type what has been
specified by the filter, a message will be printed.None of the available formats support storage of blacklist entries
that do not contain a full certificate. Thus any certificates blacklisted by
their issuer and serial number alone, are not included in the extracted
blacklist.The format of the destination file or directory.
You can specify one of the following values:
DER X.509 certificate filedirectory of X.509 certificatesFile containing one or more certificate PEM blocksDirectory PEM files each containing one certifiacteOpenSSL specific PEM bundle of certificatesDirectory of OpenSSL specific PEM filesJava keystore 'cacerts' certificate bundleOverwrite output file or directory.Limit to certificates usable for the given purpose
You can specify one of the following values:
For authenticating serversFor authenticating clientsFor email protectionFor authenticated signed codeAn arbitrary purpose OIDExtract TrustExtract standard trust information files.
$ p11-kit extract-trust
OpenSSL, GnuTLS and Java cannot currently read trust information
directly from the trust policy module. This command extracts trust
information such as certificate anchors for use by these libraries.What this command does, and where it extracts the files is
distribution or site specific. Packagers or administrators are expected
customize this command.Bugs
Please send bug reports to either the distribution bug tracker
or the upstream bug tracker at
https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.
See alsopkcs11.conf5
Further details available in the p11-kit online documentation at
http://p11-glue.freedesktop.org/doc/p11-kit/.