Trust Policy Module

Paths loaded by the Module
Using the Trust Policy Module with NSS
Using the Trust Policy Module with glib-networking
Disabling the Trust Policy Module

The trust module provides system certificate anchors, blocklists and other trust policy to crypto libraries applications. This information is exposed as PKCS#11 objects.

You can use the trust command line tool to examine and modify the trust policy store.

Paths loaded by the Module

The trust module loads certificates and trust policy information from preconfigured paths and allows them to be looked up via PKCS#11. The input paths can be determined with using the following command:

$ pkg-config --variable p11_trust_paths p11-kit-1
/usr/share/p11-kit/trust:/etc/pki/trust

Files in the following formats are supported for loading by the trust policy module:

X.509 certificates

X.509 certificates in raw DER format. Does not automatically contain trust policy information.

PEM certificates

X.509 certificates in PEM format. These have a BEGIN CERTIFICATE header. This file does not automatically contain trust policy information.

OpenSSL trust certificates

OpenSSL specific certificates in PEM format that contain trust information. These have a BEGIN TRUSTED CERTIFICATE PEM header. Both trust anchor and blocklist information can be loaded from these files.

If the input path is a file, then it is loaded. Certificate(s) in the file are automatically treated as anchors, unless they contain alternate trust policy information.

If the input path is a directory, files inside that directory are parsed and loaded. If the file contains trust policy information (such as the OpenSSL trust certificates) then it will be respected. Files without trust policy information are not automatically marked as an anchor or distrusted.

In addition two optional subdirectories of the input path are loaded. Files placed in the anchors/ subdirectory become trust anchors when they do not contain trust policy information. Files placed in the blocklist/ subdirectory are distrusted whether they contain trust information or not.

The first input path becomes the first PKCS#11 token of the trust module, and has the highest priority when callers search for trust policy information.