p11-kit-0.24.0
Installation of p11-kit
Prepare the distribution specific anchor hook:
sed '20,$ d' -i trust/trust-extract-compat &&
cat >> trust/trust-extract-compat << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications
# Generate a new trust store
/usr/sbin/make-ca -f -g
EOF
Install p11-kit by running the
following commands:
mkdir p11-build &&
cd p11-build &&
meson --prefix=/usr \
--buildtype=release \
-Dtrust_paths=/etc/pki/anchors &&
ninja
To test the results, issue: ninja
test.
Now, as the root
user:
ninja install &&
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
/usr/bin/update-ca-certificates
Command Explanations
--buildtype=release
:
Specify a buildtype suitable for stable releases of the package, as
the default may produce unoptimized binaries.
-Dtrust_paths=/etc/pki/anchors
: this
switch sets the location of trusted certificates used by
libp11-kit.so.
-Dhash_impl=freebl
: Use this switch if
you want to use the Freebl library from NSS for SHA1 and MD5 hashing.
-Dgtk_doc=true
: Use this switch if you
have installed GTK-Doc-1.33.2 and libxslt-1.1.34
and wish to rebuild the documentation and generate manual pages.
Configuring p11-kit
The p11-kit trust module
(/usr/lib/pkcs11/p11-kit-trust.so
)
can be used as a drop-in replacement for /usr/lib/libnssckbi.so
to transparently make the
system CAs available to NSS aware
applications, rather than the static list provided by /usr/lib/libnssckbi.so
. As the root
user, execute the following commands:
ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
Contents
Installed Programs:
p11-kit, trust, and
update-ca-certificates
Installed Libraries:
libp11-kit.so and p11-kit-proxy.so
Installed Directories:
/etc/pkcs11, /usr/include/p11-kit-1,
/usr/lib/pkcs11, /usr/libexec/p11-kit,
/usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit
Short Descriptions
p11-kit
|
is a command line tool that can be used to perform
operations on PKCS#11 modules configured on the system
|
trust
|
is a command line tool to examine and modify the shared
trust policy store
|
update-ca-certificates
|
is a command line tool to both extract local certificates
from an updated anchor store, and regenerate all anchors
and certificate stores on the system. This is done
unconditionally on BLFS using the --force and --get flags to make-ca and should
likely not be used for automated updates
|
libp11-kit.so
|
contains functions used to coordinate initialization and
finalization of any PKCS#11 module
|
p11-kit-proxy.so
|
is the PKCS#11 proxy module
|
Last updated on