p11-kit

p11-kit command [options]
p11-kit [--version] [--help]

list-modules
    Lists all configured PKCS#11 modules recognized by p11-kit.

list-tokens
    Enumerates cryptographic tokens found in the configured PKCS#11 modules, displaying their labels and IDs.

extract
    Extracts certificates and trust information (e.g., CA certificates, anchors) from configured modules. Common options include --module, --filter, --login, and --format.

dump
    Dumps raw PKCS#11 object attributes from tokens. Useful for detailed inspection of keys, certificates, and other cryptographic objects. Supports options like --module, --token, --filter, and --login.

server
    Runs a daemon that proxies PKCS#11 operations over a socket, allowing applications to communicate with tokens remotely or in sandboxed environments.

generate-proxy-config
    Generates a configuration file for applications to easily connect to the p11-kit proxy module.

module-lookup
    Looks up details about a specific PKCS#11 module by name or path.

test-trust
    Tests certificate trust policy application and certificate chain validation using the system's trust store.

test-pkcs11
    Runs a series of tests against a specified PKCS#11 module to verify its functionality and compliance.

p11-kit is a set of tools and a library designed to manage and make PKCS#11 modules accessible to applications. PKCS#11 is a standard for cryptographic tokens, such as smart cards and Hardware Security Modules (HSMs). p11-kit acts as a central proxy, aggregating multiple installed PKCS#11 modules into a single, unified interface. This allows applications to discover and utilize any available cryptographic token without needing to know the specific path or details of each individual module. It provides a robust configuration system, typically through files in /etc/pkcs11/modules/, to register and configure modules system-wide. Beyond module aggregation, p11-kit also integrates with the system's trust store, making certificates and trust anchors available through its PKCS#11 interface. It simplifies the deployment and use of cryptography across various applications, from web browsers to SSH clients, by centralizing cryptographic token management.

For p11-kit to function correctly, PKCS#11 module libraries must be properly configured via `.module` files in standard paths like /etc/pkcs11/modules/.
PIN prompts for cryptographic tokens often occur on the terminal where the command is executed, which might require specific handling for GUI applications.

p11-kit was developed by Red Hat and first appeared around 2011-2012. Its creation addressed the fragmented nature of PKCS#11 module management on Linux systems, aiming to provide a unified framework for applications to discover and utilize cryptographic tokens. It rapidly became a fundamental component in many Linux distributions, including Fedora and RHEL, standardizing system-wide access to hardware and software cryptographic modules and integrating with the common trust store.

pkcs11-tool(1), modutil(1), certutil(1), openssl(1), update-ca-certificates(8)