Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

This package is known to build and work properly using an LFS-8.3 platform.

Package Information

p11-kit Dependencies



make-ca-0.9 (runtime), nss (runtime), gtk-doc and libxslt

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit

Installation of p11-kit

Install p11-kit by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-trust-paths=/etc/pki/anchors &&

To test the results, issue: make check. One test, test-token 6, is known to fail.

Now, as the root user:

make install

Command Explanations

--with-trust-paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

--with-hash-impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

--enable-doc: Use this switch if you have installed gtk-doc and libxslt and wish to rebuild the documentation and generate manual pages.

Configuring p11-kit

The p11-kit trust module (/usr/lib/pkcs11/p11-kit-trust.so) can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the system CAs available to NSS aware applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands:

if [ -e /usr/lib/libnssckbi.so ]; then
  readlink /usr/lib/libnssckbi.so ||
  rm -v /usr/lib/libnssckbi.so    &&
  ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so


Installed Program: p11-kit and trust
Installed Libraries: libp11-kit.so and p11-kit-proxy.so
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/{p11-kit,pkcs11}, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions


is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.


is a command line tool to examine and modify the shared trust policy store.


contains functions used to coordinate initialization and finalization of any PKCS#11 module.


is the PKCS#11 proxy module.

Last updated on 2018-09-22 16:32:07 -0700