Modifying a trust anchor in one .p11-kit file via another .p11-kit file?
jeremyrand at airmail.cc
Wed Feb 28 10:41:18 UTC 2018
I'm doing a few experiments with p11-kit's trust module. I'm wondering
if it's possible to modify a trust anchor that exists in a .p11-kit file
via some syntax that I could place in a different .p11-kit file. In
particular, I want to apply some extra constraints to a root CA from the
Mozilla CA list, but I don't want to edit the .p11-kit file that
contains the Mozilla CA list, since that file is managed by Fedora's
package manager and will presumably get overwritten periodically outside
of my control. So I figure it would be useful to put those extra
constraints in a different .p11-kit file that isn't managed by the
I have no idea whether this is a supported use case at the moment. In
my testing, I wasn't able to make any extra constraints take effect
unless they were part of the .p11-kit file that contains the Mozilla CA
list, but I'm pretty new to p11-kit, so I wouldn't be at all surprised
if I'm simply doing something wrong. I figure I should probably check
whether this is even intended to be possible before I continue trying to
debug why it's not working for me. (The lack of documentation of the
.p11-kit format definitely doesn't make it any easier for me to tell if
I'm doing something wrong.)
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the p11-glue