p11-kit

p11-kit [command] [options]

p11-kit provides a way to load and enumerate PKCS#11 modules on a system. It acts as a proxy, allowing applications to use a single PKCS#11 module that aggregates access to all registered tokens (smart cards, HSMs, software tokens).The extract command is commonly used to export CA certificates from trust stores into PEM bundles or other formats usable by applications like web servers and curl.

list-modules

List PKCS#11 modules.

List tokens.

List objects.

Extract certificates and trust policy from the shared trust store.

Run a PKCS#11 server exposing tokens on a local socket.

Expose a PKCS#11 module remotely over stdin/stdout.

Generate a key pair on a token (rsa, ecdsa, eddsa).

Create a new profile object on a token.

Delete a profile object from a token.

Output format for extract (e.g., pem-bundle, x509-directory).

Certificate filter for extract (e.g., ca-anchors, trust-policy, blocklist, certificates).

Run in verbose mode with debug output.

Run in quiet mode without warnings.

Module configuration is system-wide in /etc/pkcs11/modules/. Root privileges required for system trust store changes. Applications using GnuTLS or NSS often depend on p11-kit for certificate trust management.

p11-kit was created to unify PKCS#11 module management across applications.

trust(1), pkcs11-tool(1), openssl(1)