Back to main site | Back to man page index

TRUST(1)                                            User Commands                                            TRUST(1)



NAME
       trust - Tool for operating on the trust policy store

SYNOPSIS
       trust list

       trust extract --filter=<what> --format=<type> /path/to/destination

       trust anchor /path/to/certificate.crt

DESCRIPTION
       trust is a command line tool to examine and modify the shared trust policy store.

       See the various sub commands below. The following global options can be used:

       -v, --verbose
           Run in verbose mode with debug output.

       -q, --quiet
           Run in quiet mode without warning or failure messages.

LIST
       List trust policy store items.

           $ trust list

       List information about the various items in the trust policy store. Each item is listed with it's PKCS#11 URI
       and some descriptive information.

       You can specify the following options to control what to list.

       --filter=<what>
           Specifies what certificates to extract. You can specify the following values:

           ca-anchors
               Certificate anchors

           trust-policy
               Anchors and blacklist (default)

           blacklist
               Blacklisted certificates

           certificates
               All certificates

           pkcs11:object=xx
               A PKCS#11 URI to filter with

           If an output format is chosen that cannot support type what has been specified by the filter, a message
           will be printed.

           None of the available formats support storage of blacklist entries that do not contain a full certificate.
           Thus any certificates blacklisted by their issuer and serial number alone, are not included in the
           extracted blacklist.

           code-signing
               For authenticated signed code

           1.2.3.4.5...
               An arbitrary purpose OID


ANCHOR
       Store or remove trust anchors.

           $ trust anchor /path/to/certificate.crt
           $ trust anchor --remove /path/to/certificate.crt
           $ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;object-type=cert"

       Store or remove trust anchors in the trust policy store. These are usually root certificate authorities.

       Specify either the --store or --remove operations. If no operation is specified then --store is assumed.

       When storing, one or more certificate files are expected on the command line. These are stored as anchors,
       unless they are already present.

       When removing an anchor, either specify certificate files or PKCS#11 URI's on the command line. Matching
       anchors will be removed.

       It may be that this command needs to be run as root in order to modify the system trust policy store, if no
       user specific store is available.

       You can specify the following options.

       --remove
           Remove one or more anchors from the trust policy store. Specify certificate files or PKCS#11 URI's on the
           command line.

       --store
           Store one or more anchors to the trust policy store. Specify certificate files on the command line.

EXTRACT
       Extract trust policy from the shared trust policy store.

           $ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory

       You can specify the following options to control what to extract. The --filter and --format arguments should
       be specified. By default this command will not overwrite the destination file or directory.

       --comment
           Add identifying comments to PEM bundle output files before each certificate.

       --filter=<what>
           Specifies what certificates to extract. You can specify the following values:

           ca-anchors
               Certificate anchors (default)

           trust-policy
           will be printed.

           None of the available formats support storage of blacklist entries that do not contain a full certificate.
           Thus any certificates blacklisted by their issuer and serial number alone, are not included in the
           extracted blacklist.

       --format=<type>
           The format of the destination file or directory. You can specify one of the following values:

           x509-file
               DER X.509 certificate file

           x509-directory
               directory of X.509 certificates

           pem-bundle
               File containing one or more certificate PEM blocks

           pem-directory
               Directory PEM files each containing one certifiacte

           openssl-bundle
               OpenSSL specific PEM bundle of certificates

           openssl-directory
               Directory of OpenSSL specific PEM files

           java-cacerts
               Java keystore 'cacerts' certificate bundle


       --overwrite
           Overwrite output file or directory.

       --purpose=<usage>
           Limit to certificates usable for the given purpose You can specify one of the following values:

           server-auth
               For authenticating servers

           client-auth
               For authenticating clients

           email
               For email protection

           code-signing
               For authenticated signed code

           1.2.3.4.5...
               An arbitrary purpose OID


EXTRACT COMPAT

       https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&component=p11-kit.

SEE ALSO
       p11-kit(8)

       An explanatory document about storing trust policy: http://p11-glue.freedesktop.org/doc/storing-trust-policy/

       Further details available in the p11-kit online documentation at http://p11-glue.freedesktop.org/doc/p11-kit/.



p11-kit                                                                                                      TRUST(1)