The following sections describe the config format in detail. But first an example which shows the various features. The configuration below, loads two modules called 'my-module' and 'nss'. The user settings override some aspects of the system settings.
Global configuration file: /usr/local/etc/pkcs11/pkcs11.conf
# This setting controls whether to load user configuration from the # ~/.config/pkcs11 directory. Possible values: # none: No user configuration # merge: Merge the user config over the system configuration (default) # only: Only user configuration, ignore system configuration user-config: merge
One module configuration file per module: /usr/local/etc/pkcs11/modules/my-module
# This setting controls the actual module library to load. This config file # might be installed by the package that installs this module library. This # is not an absolute path name. Relative path names are loaded from the # $(libdir)/pkcs11 directory by default. module: my-pkcs11-module.so # This controls whether the module is required to successfully initialize. If 'yes', then # a failure to load or initialize this module will result in a p11-kit system failure. critical: no
User configuration file: ~/.config/pkcs11/pkcs11.conf
# This is an empty file. Files that do not exist are treated as empty.
User configuration file: ~/.config/pkcs11/modules/my-module
# Merge with the settings in the system my-module config file. In this case # a developer has overridden to load a different module for my-module instead. module: /home/user/src/custom-module/my-module.so
User configuration file: ~/.config/pkcs11/modules/nss
# Load the NSS libsoftokn.so.3 PKCS#11 library as a module. Note that we pass # some custom non-standard initialization arguments, as NSS expects. module: /usr/lib/libsoftokn3.so x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db' critical: yes