PackagingDrafts/PKCS11

From FedoraProject

Jump to: navigation, search


Summary

  • Packages providing PKCS#11 modules SHOULD also provide a corresponding file in /etc/pkcs11/modules in accordance with the p11-kit documentation, so that the new module is visible to seahorse, GnuTLS and all applications using p11-kit.
  • PKCS#11 modules SHOULD silently fail to load if their corresponding hardware is not present, or in the case of pure software tokens such as SoftHSM if there is no storage configured for the user in question.
  • Packages which use SSL certificates/keys SHOULD support using certs/keys from PKCS#11 tokens.

Rationale

PKCS#11 is much too hard to set up and use. With p11-kit it gets a little saner. You can import certs into your tokens with the seahorse GUI, and choose available certs with GUI widgets like the GcrComboSelector.

For non-GUI users, you can also run p11tool --list-all to list all the available key/cert objects along with their URLs, and you can provide those URLs to compliant applications.