trust
See the various sub commands below. The following global options can be used:
-v, --verbose
-q, --quiet
List trust policy store items.
$ trust list
List information about the various items in the trust policy store. Each item is listed with it's PKCS#11 URI and some descriptive information.
You can specify the following options to control what to list.
--filter=<what>
ca-anchors
trust-policy
blacklist
certificates
pkcs11:object=xx
If an output format is chosen that cannot support type what has been specified by the filter, a message will be printed.
None of the available formats support storage of blacklist entries that do not contain a full certificate. Thus any certificates blacklisted by their issuer and serial number alone, are not included in the extracted blacklist.
--purpose=<usage>
server-auth
client-auth
code-signing
1.2.3.4.5...
Store or remove trust anchors.
$ trust anchor /path/to/certificate.crt $ trust anchor --remove /path/to/certificate.crt $ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
Store or remove trust anchors in the trust policy store. These are usually root certificate authorities.
Specify either the --store or --remove operations. If no operation is specified then --store is assumed.
When storing, one or more certificate files are expected on the command line. These are stored as anchors, unless they are already present.
When removing an anchor, either specify certificate files or PKCS#11 URI's on the command line. Matching anchors will be removed.
It may be that this command needs to be run as root in order to modify the system trust policy store, if no user specific store is available.
You can specify the following options.
--remove
--store
Extract trust policy from the shared trust policy store.
$ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory
You can specify the following options to control what to extract. The --filter and --format arguments should be specified. By default this command will not overwrite the destination file or directory.
--comment
--filter=<what>
ca-anchors
trust-policy
blacklist
certificates
pkcs11:object=xx
If an output format is chosen that cannot support type what has been specified by the filter, a message will be printed.
None of the available formats support storage of blacklist entries that do not contain a full certificate. Thus any certificates blacklisted by their issuer and serial number alone, are not included in the extracted blacklist.
--format=<type>
x509-file
x509-directory
pem-bundle
pem-directory
pem-directory-hash
openssl-bundle
openssl-directory
java-cacerts
--overwrite
--purpose=<usage>
server-auth
client-auth
code-signing
1.2.3.4.5...
Extract compatibility trust certificate bundles.
$ trust extract-compat
OpenSSL, Java and some versions of GnuTLS cannot currently read trust information directly from the trust policy store. This command extracts trust information such as certificate anchors for use by these libraries.
What this command does, and where it extracts the files is distribution or site specific. Packagers or administrators are expected customize this command.
Dump PKCS#11 items in the various tokens.
$ trust dump
Dump information about the various PKCS#11 items in the tokens. Each item is dumped with it's PKCS#11 URI and information in the .p11-kit persistence format.
You can specify the following options to control what to dump.
--filter=<what>
all
pkcs11:object=xx
Please send bug reports to either the distribution bug tracker or the upstream bug tracker at m[blue]https://github.com/p11-glue/p11-kit/issues/m[].
An explanatory document about storing trust policy: m[blue]https://p11-glue.github.io/p11-glue/doc/storing-trust-policy/m[]
Further details available in the p11-kit online documentation at m[blue]https://p11-glue.github.io/p11-glue/p11-kit/manual/m[].