Trust Policy Module The trust module provides system certificate anchors, blacklists and other trust policy to crypto libraries applications. This information is exposed as PKCS#11 objects.
Files loaded by the Module The trust module loads certificates and trust policy information from preconfigured directories and allows them to be looked up via PKCS#11. The directories can be determined with using the following commands: System Anchors: certificates in these locations are automatically treated as certificate authority anchors unless they contain information that prevents that. To check which locations are being used, run the following command: $ pkg-config --variable p11_system_anchors p11-kit-1 /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors System Certificates: certificates in these locations are not treated as anchors, but simply made available through the module. To find out which directory is used, run the following command: $ pkg-config --variable p11_system_certificates p11-kit-1 /etc/pki/tls/other-certs Files in the following formats are supported for loading by the trust policy module: X.509 certificates X.509 certificates in raw DER format. OpenSSL trust certificates OpenSSL specific certificates in PEM format that contain trust information. These have a TRUSTED CERTIFICATE PEM header. Both trust policy and blacklist information can be loaded from these files.
Using the Trust Policy Module with NSS The trust policy module is a drop in replacement for the libnssckbi.so module and thus works out of the box with NSS. The trust policy module provides NSS style PKCS#11 trust objects for NSS to retrieve. The module may be used to replace the libnssckbi.so file via an distribution specific alternatives mechanism or otherwise. Alternatively NSS applications like Firefox or Thunderbird may be configured to use the trust policy module by adding the p11-kit-trust.so PKCS#11 module via their GUI or command line configuration.
Disabling the Trust Policy Module This module is installed and enabled by default. It may be disabled in the following ways: Use the during the p11-kit build. Disable loading trust policy information from this module by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a trust-policy: line. Disable this module completely by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a enable-in: line.