Installation Locations for P11 kit

David Woodhouse dwmw2 at
Tue Oct 9 17:44:36 UTC 2018

On Tue, 2018-10-09 at 17:28 +0000, Roberts, William C wrote:
> Hello,
> I started a PKCS11 project for TPM 2.0 and we have this bug report:
> I'm looking for guidance on how best to configure our settings to be
> compatible with
> P11 and best practices surrounding install locations.
> Any help/comments would be appreciated.

Really, do what it says in the ticket :)

The ideal location for installing your provider library is obtained

 $ pkg-config --variable=p11_module_path p11-kit-1

The location for your module file is given by this command:

$ pkg-config --variable=p11_module_configs p11-kit-1

The idea is that you just install it, then it works everywhere. Any
well-behaved application can now take a PKCS#11 URI according to
RFC7512 instead of a filename for a key, and it'll find your token.

See for an example of
how this works. I see you're at Intel, so you use OpenConnect for your
VPN. You should be able to import your key from ~/.certs into the TPM
PKCS#11 token, then OpenConnect should be able to use it from there.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list