Trust Policy ModuleThe trust module provides system certificate anchors, blacklists
and other trust policy to crypto libraries applications. This
information is exposed as PKCS#11 objects.Files loaded by the ModuleThe trust module loads certificates and trust policy information
from preconfigured directories and allows them to be looked up via
PKCS#11. The directories can be determined with using the following
commands:System Anchors: certificates in these locations
are automatically treated as certificate authority anchors
unless they contain information that prevents that. To check
which locations are being used, run the following command:
$ pkg-config --variable p11_system_anchors p11-kit-1
/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
System Certificates: certificates in these locations
are not treated as anchors, but simply made available through
the module. To find out which directory is used, run the
following command:
$ pkg-config --variable p11_system_certificates p11-kit-1
/etc/pki/tls/other-certs
Files in the following formats are supported for loading by the
trust policy module:X.509 certificatesX.509 certificates in raw DER format.OpenSSL trust certificatesOpenSSL specific certificates in PEM format
that contain trust information. These have a
TRUSTED CERTIFICATE PEM header. Both
trust policy and blacklist information can be loaded
from these files.Using the Trust Policy Module with NSSThe trust policy module is a drop in replacement for the
libnssckbi.so module and thus works out of
the box with NSS. The trust policy module provides NSS style
PKCS#11 trust objects for NSS to retrieve.The module may be used to replace the
libnssckbi.so file via an distribution
specific alternatives mechanism or otherwise.Alternatively NSS applications like Firefox or Thunderbird
may be configured to use the trust policy module by adding
the p11-kit-trust.so PKCS#11 module via their
GUI or command line configuration.Disabling the Trust Policy ModuleThis module is installed and enabled by default. It may
be disabled in the following ways:Use the
during the p11-kit
build.Disable loading trust policy information
from this module by adding a file to /etc/pkcs11/modules
called p11-kit-trust.module containing a
trust-policy: line.Disable this module completely by
adding a file to /etc/pkcs11/modules
called p11-kit-trust.module containing a
enable-in: line.