The trust module provides system certificate anchors, blocklists and other trust policy to crypto libraries applications. This information is exposed as PKCS#11 objects.
You can use the trust command line tool to examine and modify the trust policy store.
The trust module loads certificates and trust policy information from preconfigured paths and allows them to be looked up via PKCS#11. The input paths can be determined with using the following command:
$ pkg-config --variable p11_trust_paths p11-kit-1 /usr/share/p11-kit/trust:/etc/pki/trust
Files in the following formats are supported for loading by the trust policy module:
X.509 certificates |
X.509 certificates in raw DER format. Does not automatically contain trust policy information. |
PEM certificates |
X.509 certificates in PEM format. These have a
|
OpenSSL trust certificates |
OpenSSL specific certificates in PEM format
that contain trust information. These have a
|
If the input path is a file, then it is loaded. Certificate(s) in the file are automatically treated as anchors, unless they contain alternate trust policy information.
If the input path is a directory, files inside that directory are parsed and loaded. If the file contains trust policy information (such as the OpenSSL trust certificates) then it will be respected. Files without trust policy information are not automatically marked as an anchor or distrusted.
In addition two optional subdirectories of the input path are loaded. Files
placed in the anchors/
subdirectory become trust anchors
when they do not contain trust policy information. Files placed in the
blocklist/
subdirectory are distrusted whether they
contain trust information or not.
The first input path becomes the first PKCS#11 token of the trust module, and has the highest priority when callers search for trust policy information.