p11-kit

p11-kit

--help
    Display help text and exit.

--version
    Display version information and exit.

The p11-kit system provides a way to configure and use PKCS#11 modules. It aggregates PKCS#11 module information from various sources, making it easier for applications to discover and use them.

It also resolves common problems like module initialization conflicts when multiple applications load the same PKCS#11 module. p11-kit also provides a standard trust module which stores certificates, keys, and certificate revocation lists (CRLs).

This standardized configuration mechanism reduces application complexity and improves security by consolidating trust anchors and certificate management in a central place. Applications link to the p11-kit library, which handles the details of loading, initializing, and managing PKCS#11 modules on behalf of the application.

The p11-kit command itself has limited direct user interaction. Most functionality is exposed through libraries used by other applications. It relies on a complex configuration and trust store which might be difficult to understand and debug.

The configuration files for p11-kit are typically located in /etc/pkcs11/modules and /usr/share/pkcs11/modules. These files define the location and properties of PKCS#11 modules.

p11-kit also provides a standardized trust module which stores certificates, keys and certificate revocation lists (CRLs). This trust module is configured to be used in applications to provide default trust anchors.

The p11-kit project was created to address shortcomings in existing PKCS#11 module management solutions. Specifically it aims to simplify the configuration and discovery of PKCS#11 modules for applications, reduce initialization conflicts, and centralize trust management. The project gained traction as a standard library for managing PKCS#11 modules across various Linux distributions.

pkcs11-tool(1)