Example

The following sections describe the config format in detail. But first an example which shows the various features. The configuration below, loads two modules called 'my-module' and 'nss'. The user settings override some aspects of the system settings.

Global configuration file: /usr/local/etc/pkcs11/pkcs11.conf

# This setting controls whether to load user configuration from the
# ~/.config/pkcs11 directory. Possible values:
#    none: No user configuration
#    merge: Merge the user config over the system configuration (default)
#    only: Only user configuration, ignore system configuration
user-config: merge

One module configuration file per module: /usr/local/etc/pkcs11/modules/my-module

# This setting controls the actual module library to load. This config file
# might be installed by the package that installs this module library. This
# is not an absolute path name. Relative path names are loaded from the
# $(libdir)/pkcs11 directory by default.
module: my-pkcs11-module.so

# This controls whether the module is required to successfully initialize. If 'yes', then
# a failure to load or initialize this module will result in a p11-kit system failure.
critical: no

User configuration file: ~/.config/pkcs11/pkcs11.conf

# This is an empty file. Files that do not exist are treated as empty.

User configuration file: ~/.config/pkcs11/modules/my-module

# Merge with the settings in the system my-module config file. In this case
# a developer has overridden to load a different module for my-module instead.
module: /home/user/src/custom-module/my-module.so

User configuration file: ~/.config/pkcs11/modules/nss

# Load the NSS libsoftokn.so.3 PKCS#11 library as a module. Note that we pass
# some custom non-standard initialization arguments, as NSS expects.
module: /usr/lib/libsoftokn3.so
x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db'
critical: yes