The p11-kit
tool provides a
extract-trust
command which extracts trust
policy information such as certificate anchors and so on
into files for use with libraries that cannot read this trust
information directly.
In order to be useful the extract-trust
command needs to be customized per distribution or site. You can
find this file in at tools/p11-kit-trust-extract.in
in the p11-kit source code.
The command is implemented as a simple script which
performs the various p11-kit extract
commands
necessary to extract the information.
Using this script as a standard way to extract this information allows for consistency between distributions and ease of system administration.