The trust module provides system certificate anchors, blacklists and other trust policy to crypto libraries applications. This information is exposed as PKCS#11 objects.

The trust module loads certificates and trust policy information from preconfigured directories and allows them to be looked up via PKCS#11. The directories can be determined with using the following commands: System Anchors: certificates in these locations are automatically treated as certificate authority anchors unless they contain information that prevents that. To check which locations are being used, run the following command: $ pkg-config --variable p11_system_anchors p11-kit-1 /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors System Certificates: certificates in these locations are not treated as anchors, but simply made available through the module. To find out which directory is used, run the following command: $ pkg-config --variable p11_system_certificates p11-kit-1 /etc/pki/tls/other-certs Files in the following formats are supported for loading by the trust policy module: X.509 certificates X.509 certificates in raw DER format. OpenSSL trust certificates OpenSSL specific certificates in PEM format that contain trust information. These have a TRUSTED CERTIFICATE PEM header. Both trust policy and blacklist information can be loaded from these files.

The trust policy module is a drop in replacement for the libnssckbi.so module and thus works out of the box with NSS. The trust policy module provides NSS style PKCS#11 trust objects for NSS to retrieve. The module may be used to replace the libnssckbi.so file via an distribution specific alternatives mechanism or otherwise. Alternatively NSS applications like Firefox or Thunderbird may be configured to use the trust policy module by adding the p11-kit-trust.so PKCS#11 module via their GUI or command line configuration.

The trust policy module can be used as a source of trust information for glib-networking's gnutls-pkcs11 backend. The module provides PKCS#11 trust assertion objects as expected. The module should work by default if the gnutls-pkcs11 backend is selected as the glib-networking TLS backend.

This module is installed and enabled by default. It may be disabled in the following ways: Use the --disable-trust-module during the p11-kit build. Disable loading trust policy information from this module by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a trust-policy: line. Disable this module completely by adding a file to /etc/pkcs11/modules called p11-kit-trust.module containing a enable-in: line.