From Fedora Project Wiki

This guideline updates the previous SSLCertificateHandling.


These guidelines are relevant to packagers which maintain packages which utilize smart cards for loading certificate or private key. Its purpose is to bring a consistency in smart card handling on the OS; for background and motivation see the current status of PKCS#11 in Fedora.

How to specify a certificate or private key stored in a smart card or HSM

In April 2015, RFC7512 defined a 'PKCS#11 URI' as a standard way to identify objects stored in smart cards or HSMs. That form should be understood by programs when specified in place of a certificate file. For non-interactive applications which get information on the command line or configuration file, there should not be a separate configuration option to load keys and certificates stored in smart cards, the same option accepting files, should additionally accept PKCS#11 URIs.

How to specify a specific PKCS#11 provider module for the certificate or key

Packages which can potentially use PKCS#11 tokens SHOULD automatically use the tokens which are present in the system's p11-kit configuration, rather than needing to have a PKCS#11 provider explicitly specified. See the PKCS#11 packaging page for more information.