blob: 98f5da5017f7a9be666e3ab687a22efa39adbbc4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<refentry id="p11-kit">
<refentryinfo>
<title>p11-kit</title>
<productname>p11-kit</productname>
<authorgroup>
<author>
<contrib>Maintainer</contrib>
<firstname>Stef</firstname>
<surname>Walter</surname>
<email>stef@thewalter.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>p11-kit</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="manual">System Commands</refmiscinfo>
</refmeta>
<refnamediv>
<refname>p11-kit</refname>
<refpurpose>Tool for operating on configured PKCS#11 modules</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>p11-kit list-modules</command>
</cmdsynopsis>
<cmdsynopsis>
<command>p11-kit extract</command> <arg choice="plain">--filter=<what></arg>
<arg choice="plain">--format=<type></arg> /path/to/destination
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><command>p11-kit</command> is a command line tool that
can be used to perform operations on PKCS#11 modules configured on the
system.</para>
<para>See the various sub commands below. The following global options
can be used:</para>
<variablelist>
<varlistentry>
<term><option>-v, --verbose</option></term>
<listitem><para>Run in verbose mode with debug
output.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-q, --quiet</option></term>
<listitem><para>Run in quiet mode without warning or
failure messages.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>List Modules</title>
<para>List system configured PKCS#11 modules.</para>
<programlisting>
$ p11-kit list-modules
</programlisting>
<para>The modules, information about them and the tokens present in
the PKCS#11 modules will be displayed.</para>
</refsect1>
<refsect1>
<title>Extract</title>
<para>Extract certificates from configured PKCS#11 modules.</para>
<programlisting>
$ p11-kit extract --format=x509-directory --filter=ca-certificates /path/to/directory
</programlisting>
<para>You can specify the following options to control what to extract.
The <option>--filter</option> and <option>--format</option> arguments
should be specified. By default this command will not overwrite the
destination file or directory.</para>
<variablelist>
<varlistentry>
<term><option>--filter=<what></option></term>
<listitem><para>Specifies what certificates to export.
You can specify the following values:
<variablelist>
<varlistentry>
<term><option>ca-anchors</option></term>
<listitem><para>Certificate anchors (default)</para></listitem>
</varlistentry>
<varlistentry>
<term><option>blacklist</option></term>
<listitem><para>Blacklisted certificates</para></listitem>
</varlistentry>
<varlistentry>
<term><option>certificates</option></term>
<listitem><para>All certificates</para></listitem>
</varlistentry>
<varlistentry>
<term><option>pkcs11:object=xx</option></term>
<listitem><para>A PKCS#11 URI</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--format=<type></option></term>
<listitem><para>The format of the destination file or directory.
You can specify one of the following values:
<variablelist>
<varlistentry>
<term><option>x509-file</option></term>
<listitem><para>DER X.509 certificate file</para></listitem>
</varlistentry>
<varlistentry>
<term><option>x509-directory</option></term>
<listitem><para>directory of X.509 certificates</para></listitem>
</varlistentry>
<varlistentry>
<term><option>pem-bundle</option></term>
<listitem><para>File containing one or more certificate PEM blocks</para></listitem>
</varlistentry>
<varlistentry>
<term><option>pem-directory</option></term>
<listitem><para>Directory PEM files each containing one certifiacte</para></listitem>
</varlistentry>
<varlistentry>
<term><option>openssl-bundle</option></term>
<listitem><para>OpenSSL specific PEM bundle of certificates</para></listitem>
</varlistentry>
<varlistentry>
<term><option>openssl-directory</option></term>
<listitem><para>Directory of OpenSSL specific PEM files</para></listitem>
</varlistentry>
<varlistentry>
<term><option>java-cacerts</option></term>
<listitem><para>Java keystore 'cacerts' certificate bundle</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--overwrite</option></term>
<listitem><para>Overwrite output file or directory.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--purpose=<usage></option></term>
<listitem><para>Limit to certificates usable for the given purpose
You can specify one of the following values:
<variablelist>
<varlistentry>
<term><option>server-auth</option></term>
<listitem><para>For authenticating servers</para></listitem>
</varlistentry>
<varlistentry>
<term><option>client-auth</option></term>
<listitem><para>For authenticating clients</para></listitem>
</varlistentry>
<varlistentry>
<term><option>email</option></term>
<listitem><para>For email protection</para></listitem>
</varlistentry>
<varlistentry>
<term><option>code-signing</option></term>
<listitem><para>For authenticated signed code</para></listitem>
</varlistentry>
<varlistentry>
<term><option>1.2.3.4.5...</option></term>
<listitem><para>An arbitrary purpose OID</para></listitem>
</varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Extract Trust</title>
<para>Extract standard trust information files.</para>
<programlisting>
$ p11-kit extract-trust
</programlisting>
<para>OpenSSL, GnuTLS and Java cannot currently read trust information
directly from the trust policy module. This command extracts trust
information such as certificate anchors for use by these libraries.</para>
<para>What this command does, and where it extracts the files is
distribution or site specific. Packagers or administrators are expected
customize this command.</para>
</refsect1>
<refsect1>
<title>Bugs</title>
<para>
Please send bug reports to either the distribution bug tracker
or the upstream bug tracker at
<ulink url="https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit">https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit</ulink>.
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
Further details available in the p11-kit online documentation at
<ulink url="http://p11-glue.freedesktop.org/doc/p11-kit/">http://p11-glue.freedesktop.org/doc/p11-kit/</ulink>.
</para>
</refsect1>
</refentry>
|