trustp11-kitMaintainerStefWalterstef@thewalter.nettrust1User CommandstrustTool for operating on the trust policy storetrust listtrust extract--filter=<what>--format=<type> /path/to/destination
trust anchor /path/to/certificate.crt
trust dumpDescriptiontrust is a command line tool to examine and
modify the shared trust policy store.See the various sub commands below. The following global options
can be used:Run in verbose mode with debug
output.Run in quiet mode without warning or
failure messages.ListList trust policy store items.
$ trust list
List information about the various items in the trust policy store.
Each item is listed with it's PKCS#11 URI and some descriptive information.You can specify the following options to control what to list.Specifies what certificates to extract. You can specify the following values:
Certificate anchorsAnchors and blacklist (default)Blacklisted certificatesAll certificatesA PKCS#11 URI to filter withIf an output format is chosen that cannot support type what has been
specified by the filter, a message will be printed.None of the available formats support storage of blacklist entries
that do not contain a full certificate. Thus any certificates blacklisted by
their issuer and serial number alone, are not included in the extracted
blacklist.Limit to certificates usable for the given purpose
You can specify one of the following values:
For authenticating serversFor authenticating clientsFor email protectionFor authenticated signed codeAn arbitrary purpose OIDAnchorStore or remove trust anchors.
$ trust anchor /path/to/certificate.crt
$ trust anchor --remove /path/to/certificate.crt
$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
Store or remove trust anchors in the trust policy store. These are
usually root certificate authorities.Specify either the or
operations. If no operation is specified then is
assumed.When storing, one or more certificate files are expected on the
command line. These are stored as anchors, unless they are already
present.When removing an anchor, either specify certificate files or
PKCS#11 URI's on the command line. Matching anchors will be removed.It may be that this command needs to be run as root in order to
modify the system trust policy store, if no user specific store is
available.You can specify the following options.Remove one or more anchors from the trust
policy store. Specify certificate files or PKCS#11 URI's
on the command line.Store one or more anchors to the trust
policy store. Specify certificate files on the command
line.ExtractExtract trust policy from the shared trust policy store.
$ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory
You can specify the following options to control what to extract.
The and arguments
should be specified. By default this command will not overwrite the
destination file or directory.Add identifying comments to PEM bundle output files
before each certificate.Specifies what certificates to extract. You can specify the following values:
Certificate anchors (default)Anchors and blacklistBlacklisted certificatesAll certificatesA PKCS#11 URIIf an output format is chosen that cannot support type what has been
specified by the filter, a message will be printed.None of the available formats support storage of blacklist entries
that do not contain a full certificate. Thus any certificates blacklisted by
their issuer and serial number alone, are not included in the extracted
blacklist.The format of the destination file or directory.
You can specify one of the following values:
DER X.509 certificate filedirectory of X.509 certificatesFile containing one or more certificate PEM blocksDirectory of PEM files each containing one certificateDirectory of PEM files each containing one certificate, with hash symlinksOpenSSL specific PEM bundle of certificatesDirectory of OpenSSL specific PEM filesJava keystore 'cacerts' certificate bundleOverwrite output file or directory.Limit to certificates usable for the given purpose
You can specify one of the following values:
For authenticating serversFor authenticating clientsFor email protectionFor authenticated signed codeAn arbitrary purpose OIDExtract CompatExtract compatibility trust certificate bundles.
$ trust extract-compat
OpenSSL, Java and some versions of GnuTLS cannot currently read
trust information directly from the trust policy store. This command
extracts trust information such as certificate anchors for use by
these libraries.What this command does, and where it extracts the files is
distribution or site specific. Packagers or administrators are expected
customize this command.DumpDump PKCS#11 items in the various tokens.
$ trust dump
Dump information about the various PKCS#11 items in the tokens.
Each item is dumped with it's PKCS#11 URI and information in the .p11-kit
persistence format.You can specify the following options to control what to dump.Specifies what certificates to extract. You can specify the following values:
All objects. This is the defaultA PKCS#11 URI to filter withBugs
Please send bug reports to either the distribution bug tracker
or the upstream bug tracker at
https://github.com/p11-glue/p11-kit/issues/.
See alsop11-kit8An explanatory document about storing trust policy:
https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/
Further details available in the p11-kit online documentation at
https://p11-glue.github.io/p11-glue/p11-kit/manual/.