P11-KIT(8) System Commands P11-KIT(8)NAMEp11-kit - Tool for operating on configured PKCS#11 modules
SYNOPSISp11-kit list-modules
p11-kit extract --filter=<what> --format=<type> /path/to/destination
DESCRIPTIONp11-kit is a command line tool that can be used to perform operations
on PKCS#11 modules configured on the system.
See the various sub commands below. The following global options can be
used:
-v, --verbose
Run in verbose mode with debug output.
-q, --quiet
Run in quiet mode without warning or failure messages.
LIST MODULES
List system configured PKCS#11 modules.
$ p11-kit list-modules
The modules, information about them and the tokens present in the
PKCS#11 modules will be displayed.
EXTRACT
Extract certificates from configured PKCS#11 modules.
$ p11-kit extract --format=x509-directory --filter=ca-anchors /path/to/directory
You can specify the following options to control what to extract. The
--filter and --format arguments should be specified. By default this
command will not overwrite the destination file or directory.
--comment
Add identifying comments to PEM bundle output files before each
certificate.
--filter=<what>
Specifies what certificates to extract. You can specify the
following values:
ca-anchors
Certificate anchors (default)
trust-policy
Anchors and blacklist
blacklist
Blacklisted certificates
certificates
All certificates
pkcs11:object=xx
A PKCS#11 URI
If an output format is chosen that cannot support type what has
been specified by the filter, a message will be printed.
None of the available formats support storage of blacklist entries
that do not contain a full certificate. Thus any certificates
blacklisted by their issuer and serial number alone, are not
included in the extracted blacklist.
--format=<type>
The format of the destination file or directory. You can specify
one of the following values:
x509-file
DER X.509 certificate file
x509-directory
directory of X.509 certificates
pem-bundle
File containing one or more certificate PEM blocks
pem-directory
Directory PEM files each containing one certifiacte
openssl-bundle
OpenSSL specific PEM bundle of certificates
openssl-directory
Directory of OpenSSL specific PEM files
java-cacerts
Java keystore ´cacerts´ certificate bundle
--overwrite
Overwrite output file or directory.
--purpose=<usage>
Limit to certificates usable for the given purpose You can specify
one of the following values:
server-auth
For authenticating servers
client-auth
For authenticating clients
email
For email protection
code-signing
For authenticated signed code
1.2.3.4.5...
An arbitrary purpose OID
EXTRACT TRUST
Extract standard trust information files.
$ p11-kit extract-trust
OpenSSL, GnuTLS and Java cannot currently read trust information
directly from the trust policy module. This command extracts trust
information such as certificate anchors for use by these libraries.
What this command does, and where it extracts the files is distribution
or site specific. Packagers or administrators are expected customize
this command.
BUGS
Please send bug reports to either the distribution bug tracker or the
upstream bug tracker at
https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.
SEE ALSOpkcs11.conf(5)
Further details available in the p11-kit online documentation at
http://p11-glue.freedesktop.org/doc/p11-kit/.
p11-kit P11-KIT(8)