how to make gnutls trust p11-kit's ca-anchors?

Stef Walter stefw at
Thu Jul 4 06:55:10 PDT 2013

On 04.07.2013 14:57, Ludwig Nussel wrote:
> I'm currently wiring up p11-kit in openSUSE. One thing I'm currently
> struggling with is gnutls. The package is built in a way that makes
> p11-kit appear out of the box, ie p11tool --list-all has all root
> certificates. How can I make gnutls use them as trust anchors though?
> Ie what is the correct URL to pass to e.g gnutls-cli --x509cafile?
> Maybe it doesn't work right away because 'p11tool --list-all-trusted'
> doesn't list the certs as trusted?

Hmmm, Nikos might know off hand, but I'll test it and report back.

I know the code to load certificate anchors from the trust module
directly is recent. For example, in Fedora is not relying on that
feature yet, and instead extract a bundle for gnutls to use. But hope to
change that soon.



More information about the p11-glue mailing list