The p11-kit tool provides a extract-trust command which extracts trust policy information such as certificate anchors and so on into files for use with libraries that cannot read this trust information directly.

In order to be useful the extract-trust command needs to be customized per distribution or site. You can find this file in at tools/p11-kit-trust-extract.in in the p11-kit source code.

The command is implemented as a simple script which performs the various p11-kit extract commands necessary to extract the information.

Using this script as a standard way to extract this information allows for consistency between distributions and ease of system administration.