How to setup "p11-kit-proxy" to allow public access to certificates?

Steve Ross sross at
Mon Sep 26 17:30:14 UTC 2022

P11-glue list,

I am trying to include some Network Security Services (NSS) 
functionality  while also using "p11-kit-proxy", but (so far) I'm unable 
to do so.  In particular, I want to make NSS treat X.509 certificates on 
a smart card as public, so that the user can access them without first 
providing a PIN for the card.   I'm hoping that someone on this list can 
provide some direction to me.

In the past, when not using "p11-kit-proxy", I could accomplish adding a 
PKCS #11 module to the system database, and also making the module treat 
the certificates as "public", by using a command like:

    $ modutil -add opensc -mechanisms FRIENDLY -libfile
    /usr/lib64/pkcs11/ -dbdir sql:/etc/pki/nssdb

where the command added the "opensc" library to the output of "modutil 
-list" and where the "-mechanisms FRIENDLY" option added an "NSS=" line 
to the file "/etc/pki/nssdb/pkcs11.txt" like:
    NSS=slotParams={0x00000001=[slotFlags=PublicCerts ]
    0x00000002=[slotFlags=PublicCerts ]  }

With this configuration, when I execute a "certutil" command to 
manipulate certificates, the command provides a response without first 
prompting for a PIN for the token.

However, when my system is using "p11-kit-proxy",  the module entry of 
"opensc" no longer appears in the output of "modutil -list"; instead the 
entry is "p11-kit-proxy".  How would I configure "p11-kit-proxy" to pass 
along the "PublicCerts" setting to the module(s) for which it is the proxy?

Would I add a name/value pair to the file 
"/usr/share/p11-kit/modules/opensc.module"?  If so, what name/value 
pair?  (I'm actually not using the OpenSC module, but another PKCS #11 

I have tried directly editing the files of "/etc/pki/nssdb/pkcs11.txt"  
and "/etc/crypto-policies/back-ends/nss.config" to add the "NSS=..." 
line, but "certutil" still prompts for a PIN.

Thanks for any suggestions,
-- Steve Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the p11-glue mailing list