Modifying a trust anchor in one .p11-kit file via another .p11-kit file?

Jeremy Rand jeremyrand at
Wed Feb 28 10:41:18 UTC 2018


I'm doing a few experiments with p11-kit's trust module.  I'm wondering
if it's possible to modify a trust anchor that exists in a .p11-kit file
via some syntax that I could place in a different .p11-kit file.  In
particular, I want to apply some extra constraints to a root CA from the
Mozilla CA list, but I don't want to edit the .p11-kit file that
contains the Mozilla CA list, since that file is managed by Fedora's
package manager and will presumably get overwritten periodically outside
of my control.  So I figure it would be useful to put those extra
constraints in a different .p11-kit file that isn't managed by the
package manager.

I have no idea whether this is a supported use case at the moment.  In
my testing, I wasn't able to make any extra constraints take effect
unless they were part of the .p11-kit file that contains the Mozilla CA
list, but I'm pretty new to p11-kit, so I wouldn't be at all surprised
if I'm simply doing something wrong.  I figure I should probably check
whether this is even intended to be possible before I continue trying to
debug why it's not working for me.  (The lack of documentation of the
.p11-kit format definitely doesn't make it any easier for me to tell if
I'm doing something wrong.)

-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at is having technical issues at the

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the p11-glue mailing list