Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

This package is known to build and work properly using an LFS-8.3 platform.

Package Information

p11-kit Dependencies



make-ca-1.2 (runtime), NSS-3.41 (runtime), GTK-Doc-1.29 and libxslt-1.1.33

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit

Installation of p11-kit

Prepare the distribution specific anchor hook:

sed '20,$ d' -i trust/trust-extract-compat.in &&
cat >> trust/trust-extract-compat.in << "EOF"
# Copy existing anchor modifications to /etc/ssl/local

# Generate a new trust store
/usr/sbin/make-ca -f -g

Install p11-kit by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-trust-paths=/etc/pki/anchors &&

To test the results, issue: make check. One test, test-token 6, is known to fail.

Now, as the root user:

make install &&
ln -s /usr/libexec/p11-kit/trust-extract-compat \

Command Explanations

--with-trust-paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

--with-hash-impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

--enable-doc: Use this switch if you have installed GTK-Doc-1.29 and libxslt-1.1.33 and wish to rebuild the documentation and generate manual pages.

Configuring p11-kit

The p11-kit trust module (/usr/lib/pkcs11/p11-kit-trust.so) can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the system CAs available to NSS aware applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands:

if [ -e /usr/lib/libnssckbi.so ]; then
  readlink /usr/lib/libnssckbi.so ||
  rm -v /usr/lib/libnssckbi.so    &&
  ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so


Installed Programs: p11-kit and trust
Installed Libraries: libp11-kit.so and p11-kit-proxy.so
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/{p11-kit,pkcs11}, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions


is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.


is a command line tool to examine and modify the shared trust policy store.


is a command line tool to both extract local certificates from an upadated anchor store, and regenerate all anchors and certificate stores on the system.


contains functions used to coordinate initialization and finalization of any PKCS#11 module.


is the PKCS#11 proxy module.

Last updated on 2019-01-01 23:30:48 -0600