Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
PKCS 11
open-in-new
<h2 id="usage">Usage</h2> <p>Most commercial <a href="/facts/Certificate_authority/WAo8vMTN">certificate authority</a> (CA) software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use <a href="/facts/Smart_cards/K7b9lowS">smart cards</a> uses PKCS #11, such as <a href="/facts/Mozilla_Firefox/xez2zv8H">Mozilla Firefox</a> and <a href="/facts/OpenSSL/aXvs5fo2">OpenSSL</a> (using an extension). It is also used to access <a href="/facts/Smart_cards/K7b9lowS">smart cards</a> and <a href="/facts/Hardware_security_module/dhpo8qoR">HSMs</a>. Software written for <a href="/facts/Microsoft_Windows/bwhAhuSL">Microsoft Windows</a> may use the platform specific <a href="/facts/Cryptographic_Application_Programming_Interface/yTtHjHhN">MS-CAPI</a> API instead. Both <a href="/facts/Solaris_(operating_system)/KPfT98EJ">Oracle Solaris</a> and <a href="/facts/Red_Hat_Enterprise_Linux/6Cekx2ed">Red Hat Enterprise Linux</a> contain implementations for use by applications, as well. </p> <h2 id="relationship-to-kmip">Relationship to KMIP</h2> <p>The <a href="/facts/Key_Management_Interoperability_Protocol/alr3aPT5">Key Management Interoperability Protocol</a> (KMIP) defines a wire protocol that has similar functionality to the PKCS #11 API. </p><p>The two standards were originally developed independently but are now both governed by an <a href="/facts/OASIS_(organization)/a2r8y7tX">OASIS</a> technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11. </p><p>There is considerable overlap between members of the two technical committees. </p> <h2 id="history">History</h2> <p>The PKCS #11 standard originated from <a href="/facts/RSA_Security/s8kfo2SF">RSA Security</a> along with its other <a href="/facts/PKCS/M0swhEyc">PKCS standards</a> in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS #11 2.30) to <a href="/facts/OASIS_(organization)/a2r8y7tX">OASIS</a> to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> The following list contains significant revision information: </p> <ul><li>01/1994: project launched</li> <li>04/1995: v1.0 published</li> <li>12/1997: v2.01 published</li> <li>12/1999: v2.10 published</li> <li>01/2001: v2.11 published</li> <li>06/2004: v2.20 published<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a></li> <li>12/2005: amendments 1 & 2 (<a href="/facts/One-time_password/4u0a4vgk">one-time password</a> tokens, CT-KIP <a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a>)</li> <li>01/2007: amendment 3 (additional mechanisms)</li> <li>09/2009: v2.30 draft published for review, but final version never published</li> <li>12/2012: RSA announce that PKCS #11 management is being transitioned to <a href="/facts/OASIS_(organization)/a2r8y7tX">OASIS</a><a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a></li> <li>03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 <a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a></li> <li>04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards <a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></li> <li>05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata <a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a></li> <li>07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards <a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li> <li>07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards <a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a></li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Microsoft_CryptoAPI/yTtHjHhN">Microsoft CryptoAPI</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://www.rfc-editor.org/rfc/rfc7512">7512</a> - The PKCS #11 URI Scheme</li> <li><a href="https://www.cryptsoft.com/pkcs11doc/">PKCS#11: Cryptographic Token Interface Standard</a></li> <li><a href="https://www.oasis-open.org/committees/pkcs11">OASIS PKCS #11 Technical Committee home page</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Dieter Bong; Tony Cox, eds. (2023-07-23). "PKCS #11 Specification Version 3.1". OASIS. Retrieved 2024-08-29. <a href="https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html" target="_blank">https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Paul Knight, ed. (2023-08-10). "Two PKCS #11 OASIS Standards published". OASIS. Retrieved 2025-01-05. <a href="https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/" target="_blank">https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"OASIS Enhances Popular Public-Key Cryptography Standard, PKCS #11, for Mobile and Cloud". OASIS. 26 March 2013. Retrieved 2016-08-24. <a href="https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud" target="_blank">https://www.oasis-open.org/news/pr/oasis-enhances-popular-public-key-cryptography-standard-pkcs-11-for-mobile-and-cloud</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Dieter Bong; Tony Cox, eds. (2023-07-23). "PKCS #11 Specification Version 3.1". OASIS. Retrieved 2024-08-29. <a href="https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html" target="_blank">https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"CT-KIP: Cryptographic Token Key Initialization Protocol". RSA Security. Archived from the original on 2017-04-17. <a href="https://web.archive.org/web/20170417085140/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm" target="_blank">https://web.archive.org/web/20170417085140/https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/cryptographic-token-key-initialization-protocol.htm</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Griffin, Bob (2012-12-26). "Re-invigorating the PKCS #11 Standard". Archived from the original on 2013-05-25. <a href="https://web.archive.org/web/20130525002555/http://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/" target="_blank">https://web.archive.org/web/20130525002555/http://blogs.rsa.com/re-invigorating-the-pkcs-11-standard/</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"OASIS PKCS 11 TC Public Documents". OASIS. Retrieved 2020-01-16. <a href="https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11" target="_blank">https://www.oasis-open.org/committees/documents.php?wg_abbrev=pkcs11</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards". OASIS. 15 April 2015. Retrieved 2016-08-24. <a href="https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre" target="_blank">https://www.oasis-open.org/news/announcements/pkcs-11-cryptographic-token-interface-base-specification-interface-profiles-curre</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"#PKCS 11 V2.40 Approved Erratas published by PKCS 11 TC". OASIS. 28 June 2016. Retrieved 2016-08-24. <a href="https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc" target="_blank">https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"#PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 3.0 become OASIS Standards". OASIS. 22 July 2020. Retrieved 2020-07-23. <a href="https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/" target="_blank">https://www.oasis-open.org/2020/07/22/four-pkcs-11-oasis-standards-published/</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Paul Knight, ed. (2023-08-10). "Two PKCS #11 OASIS Standards published". OASIS. Retrieved 2025-01-05. <a href="https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/" target="_blank">https://www.oasis-open.org/2023/08/10/two-pkcs-11-oasis-standards-published/</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> </ol>