Monday, October 3, 2022

[389-users] Re: 389ds and PKCS11 - how does 389ds read certificates/keys from p11kit?

Hi Graham,

389ds relies on the NSS framework, 
so IMHO the question should be how to use p11-kit-trust with NSS..

I cannot help you much on this point as your question reached the limit of my knowledge about NSS,  but if no one else has a better answer here are some hint:
while looking on the web, I found several pages that may interest you::
   (The contact link may help you to get a more precise answer)
(And especially the "How to test" section that may interest you/
Apparently p11-kit-proxy allows you to install and use p11kit module
 but you also have to also install these module with modutil to be able to use this feature (maybe trying to load p11-kit-trust in nss with modutil will do the trick  (but that is just a wild guess))

Good luck !

On Sun, Oct 2, 2022 at 7:07 PM Graham Leggett <> wrote:
Hi all,

389ds as shipped by RHEL9 is linked to NSS, which in theory supports PKCS11, but in practice I can't get to work.

Most specifically, when you display a 389ds NSS database using modutil, you see p11-kit-proxy (good), but it reports "There are no slots attached to this module" (bad).

Has anyone got an explanation as to why this might be?

[root@seawitch ~]# modutil -list -dbdir /etc/dirsrv/slapd-seawitch

Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.79
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name:
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: There are no slots attached to this module
        status: loaded

At the very least the system and default CA databases should be visible, but alas no:

[root@seawitch ~]# p11-kit list-modules
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.24
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24


389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:


389 Directory Server Development Team

No comments:

Post a Comment