Defining header for stapled certificate extensions

Stef Walter stefw at
Fri Sep 12 03:52:15 PDT 2014

On 11.09.2014 18:12, Nikos Mavrogiannopoulos wrote:
> On Thu, 2014-09-11 at 11:09 +0200, Nikos Mavrogiannopoulos wrote:
>> I'm at this point where I read an anchor certificate, its
>> CKA_PUBLIC_KEY_INFO (to avoid me parsing the certificate), from the
>> trust module. Then I construct a FindObjects query with
>> CKO_X_CERTIFICATE_EXTENSION, and as CKA_CLASS and the provided
>> What should I expect as an answer? My guess would be that there will
>> always be a stapled extension for an anchor certificate that indicates
>> its purpose (i.e., the ExtendedKeyUsage extension). Is that correct? (I
>> don't get any stapled extension as answer, and I'm wondering whether
>> there is something wrong in my code or the no extensions answer is
>> expected).
>> Is there some easy way to add custom stapled (or attached) extensions in
>> order to test that code?
> I seemed to use a default trust module with no extensions. By switching
> to the directories used in Fedora it seems to work fine.

Yes. For the record on fedora this ./configure (or ./
argument does the trick:




More information about the p11-glue mailing list