how to make gnutls trust p11-kit's ca-anchors?

David Woodhouse dwmw2 at
Thu Jul 4 07:07:45 PDT 2013

On Thu, 2013-07-04 at 15:55 +0200, Stef Walter wrote:
> On 04.07.2013 14:57, Ludwig Nussel wrote:
> > I'm currently wiring up p11-kit in openSUSE. One thing I'm currently
> > struggling with is gnutls. The package is built in a way that makes
> > p11-kit appear out of the box, ie p11tool --list-all has all root
> > certificates. How can I make gnutls use them as trust anchors though?
> > Ie what is the correct URL to pass to e.g gnutls-cli --x509cafile?
> > Maybe it doesn't work right away because 'p11tool --list-all-trusted'
> > doesn't list the certs as trusted?
> Hmmm, Nikos might know off hand, but I'll test it and report back.
> I know the code to load certificate anchors from the trust module
> directly is recent. For example, in Fedora is not relying on that
> feature yet, and instead extract a bundle for gnutls to use. But hope to
> change that soon.

Note that GnuTLS didn't automatically detect the OpenSUSE bundle
in /etc/ssl/ca-bundle.pem until fairly recently (commit 35341565 in
master). Is that the problem?

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list