diff options
Diffstat (limited to 'doc/manual/p11-kit-trust.xml')
-rw-r--r-- | doc/manual/p11-kit-trust.xml | 128 |
1 files changed, 0 insertions, 128 deletions
diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml deleted file mode 100644 index dde614c..0000000 --- a/doc/manual/p11-kit-trust.xml +++ /dev/null @@ -1,128 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" -[ - <!ENTITY sysdir SYSTEM "sysdir.xml"> - <!ENTITY userdir SYSTEM "userdir.xml"> -]> - -<chapter xml:id="trust-module"> -<title>Trust Policy Module</title> - - <para>The trust module provides system certificate anchors, blacklists - and other trust policy to crypto libraries applications. This - information is exposed as PKCS#11 objects.</para> - - <para>You can use the <link linkend="trust">trust</link> command line - tool to examine and modify the trust policy store.</para> - -<section id="trust-files"> - <title>Paths loaded by the Module</title> - - <para>The trust module loads certificates and trust policy information - from preconfigured paths and allows them to be looked up via PKCS#11. - The input paths can be determined with using the following command:</para> - -<programlisting> -$ pkg-config --variable p11_trust_paths p11-kit-1 -/usr/share/p11-kit/trust:/etc/pki/trust -</programlisting> - - <para>Files in the following formats are supported for loading by the - trust policy module:</para> - - <variablelist> - <varlistentry> - <term>X.509 certificates</term> - <listitem><para>X.509 certificates in raw DER format. Does not - automatically contain trust policy information.</para></listitem> - </varlistentry> - <varlistentry> - <term>PEM certificates</term> - <listitem><para>X.509 certificates in PEM format. These have a - <literal>BEGIN CERTIFICATE</literal> header. This file does not - automatically contain trust policy information.</para></listitem> - </varlistentry> - <varlistentry> - <term>OpenSSL trust certificates</term> - <listitem><para>OpenSSL specific certificates in PEM format - that contain trust information. These have a - <literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both - trust anchor and blacklist information can be loaded - from these files.</para></listitem> - </varlistentry> - </variablelist> - - <para>If the input path is a file, then it is loaded. Certificate(s) in the - file are automatically treated as anchors, unless they contain alternate - trust policy information.</para> - - <para>If the input path is a directory, files inside that directory are - parsed and loaded. If the file contains trust policy information (such as the - OpenSSL trust certificates) then it will be respected. Files without trust policy - information are not automatically marked as an anchor or blacklisted.</para> - - <para>In addition two optional subdirectories of the input path are loaded. Files - placed in the <literal>anchors/</literal> subdirectory become trust anchors - when they do not contain trust policy information. Files placed in the - <literal>blacklist/</literal> subdirectory are blacklisted whether they - contain trust information or not.</para> - - <para>The first input path becomes the first PKCS#11 token of the trust - module, and has the highest priority when callers search for trust - policy information.</para> -</section> - -<section id="trust-nss"> - <title>Using the Trust Policy Module with NSS</title> - - <para>The trust policy module is a drop in replacement for the - <literal>libnssckbi.so</literal> module and thus works out of - the box with NSS. The trust policy module provides NSS style - PKCS#11 trust objects for NSS to retrieve.</para> - - <para>The module may be used to replace the - <literal>libnssckbi.so</literal> file via an distribution - specific alternatives mechanism or otherwise.</para> - - <para>Alternatively NSS applications like Firefox or Thunderbird - may be configured to use the trust policy module by adding - the <literal>p11-kit-trust.so</literal> PKCS#11 module via their - GUI or command line configuration.</para> -</section> - -<section id="trust-glib-networking"> - <title>Using the Trust Policy Module with glib-networking</title> - - <para>The trust policy module can be used as a source of trust - information for glib-networking's <literal>gnutls-pkcs11</literal> backend. - The module provides PKCS#11 trust assertion objects as expected.</para> - - <para>The module should work by default if the <literal>gnutls-pkcs11</literal> - backend is selected as the glib-networking TLS backend.</para> -</section> - -<section id="trust-disable"> - <title>Disabling the Trust Policy Module</title> - - <para>This module is installed and enabled by default. It may - be disabled in the following ways:</para> - - <itemizedlist> - <listitem><para>Use the <option>--disable-trust-module</option> - during the <link linkend="devel-building-configure">p11-kit - build</link>.</para></listitem> - <listitem><para>Disable loading trust policy information - from this module by adding a file to <literal>&sysdir;/modules</literal> - called <literal>p11-kit-trust.module</literal> containing a - <literal>trust-policy: no</literal> line.</para></listitem> - - <listitem><para>Disable this module completely by - adding a file to <literal>&sysdir;/modules</literal> - called <literal>p11-kit-trust.module</literal> containing a - <literal>enable-in:</literal> line (without a value).</para></listitem> - </itemizedlist> - -</section> - -</chapter> |