Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

p11-kit(8) [centos man page]

P11-KIT(8)							  System Commands							P11-KIT(8)

NAME

       p11-kit - Tool for operating on configured PKCS#11 modules

SYNOPSIS

       p11-kit list-modules

       p11-kit extract --filter=<what> --format=<type> /path/to/destination

DESCRIPTION

       p11-kit is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

       See the various sub commands below. The following global options can be used:

       -v, --verbose
	   Run in verbose mode with debug output.

       -q, --quiet
	   Run in quiet mode without warning or failure messages.

LIST MODULES

       List system configured PKCS#11 modules.

	   $ p11-kit list-modules

       The modules, information about them and the tokens present in the PKCS#11 modules will be displayed.

EXTRACT

       Extract certificates from configured PKCS#11 modules.

	   $ p11-kit extract --format=x509-directory --filter=ca-anchors /path/to/directory

       You can specify the following options to control what to extract. The --filter and --format arguments should be specified. By default this
       command will not overwrite the destination file or directory.

       --comment
	   Add identifying comments to PEM bundle output files before each certificate.

       --filter=<what>
	   Specifies what certificates to extract. You can specify the following values:

	   ca-anchors
	       Certificate anchors (default)

	   trust-policy
	       Anchors and blacklist

	   blacklist
	       Blacklisted certificates

	   certificates
	       All certificates

	   pkcs11:object=xx
	       A PKCS#11 URI

	   If an output format is chosen that cannot support type what has been specified by the filter, a message will be printed.

	   None of the available formats support storage of blacklist entries that do not contain a full certificate. Thus any certificates
	   blacklisted by their issuer and serial number alone, are not included in the extracted blacklist.

       --format=<type>
	   The format of the destination file or directory. You can specify one of the following values:

	   x509-file
	       DER X.509 certificate file

	   x509-directory
	       directory of X.509 certificates

	   pem-bundle
	       File containing one or more certificate PEM blocks

	   pem-directory
	       Directory PEM files each containing one certifiacte

	   openssl-bundle
	       OpenSSL specific PEM bundle of certificates

	   openssl-directory
	       Directory of OpenSSL specific PEM files

	   java-cacerts
	       Java keystore 'cacerts' certificate bundle

       --overwrite
	   Overwrite output file or directory.

       --purpose=<usage>
	   Limit to certificates usable for the given purpose You can specify one of the following values:

	   server-auth
	       For authenticating servers

	   client-auth
	       For authenticating clients

	   email
	       For email protection

	   code-signing
	       For authenticated signed code

	   1.2.3.4.5...
	       An arbitrary purpose OID

EXTRACT TRUST

       Extract standard trust information files.

	   $ p11-kit extract-trust

       OpenSSL, GnuTLS and Java cannot currently read trust information directly from the trust policy module. This command extracts trust
       information such as certificate anchors for use by these libraries.

       What this command does, and where it extracts the files is distribution or site specific. Packagers or administrators are expected
       customize this command.

BUGS

       Please send bug reports to either the distribution bug tracker or the upstream bug tracker at
       https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.

SEE ALSO

       pkcs11.conf(5)

       Further details available in the p11-kit online documentation at http://p11-glue.freedesktop.org/doc/p11-kit/.

p11-kit 																P11-KIT(8)

Check Out this Related Man Page

CRL2PKCS7(1)							      OpenSSL							      CRL2PKCS7(1)

NAME

       crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.

SYNOPSIS

       openssl crl2pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-certfile filename] [-nocrl]

DESCRIPTION

       The crl2pkcs7 command takes an optional CRL and one or more certificates and converts them into a PKCS#7 degenerate "certificates only"
       structure.

COMMAND OPTIONS

       -inform DER|PEM
	   This specifies the CRL input format. DER format is DER encoded CRL structure.PEM (the default) is a base64 encoded version of the DER
	   form with header and footer lines.

       -outform DER|PEM
	   This specifies the PKCS#7 structure output format. DER format is DER encoded PKCS#7 structure.PEM (the default) is a base64 encoded
	   version of the DER form with header and footer lines.

       -in filename
	   This specifies the input filename to read a CRL from or standard input if this option is not specified.

       -out filename
	   specifies the output filename to write the PKCS#7 structure to or standard output by default.

       -certfile filename
	   specifies a filename containing one or more certificates in PEM format.  All certificates in the file will be added to the PKCS#7
	   structure. This option can be used more than once to read certificates form multiple files.

       -nocrl
	   normally a CRL is included in the output file. With this option no CRL is included in the output file and a CRL is not read from the
	   input file.

EXAMPLES

       Create a PKCS#7 structure from a certificate and CRL:

	openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem

       Creates a PKCS#7 structure in DER format with no CRL from several different certificates:

	openssl crl2pkcs7 -nocrl -certfile newcert.pem
	       -certfile demoCA/cacert.pem -outform DER -out p7.der

NOTES

       The output file is a PKCS#7 signed data structure containing no signers and just certificates and an optional CRL.

       This utility can be used to send certificates and CAs to Netscape as part of the certificate enrollment process. This involves sending the
       DER encoded output as MIME type application/x-x509-user-cert.

       The PEM encoded form with the header and footer lines removed can be used to install user certificates and CAs in MSIE using the Xenroll
       control.

SEE ALSO

       pkcs7(1)

1.0.0								    2002-07-09							      CRL2PKCS7(1)
Man Page