PKCS 11

In cryptography, PKCS #11 is one of the Public-Key Cryptography Standards,^[1] and also refers to the programming interface to create and manipulate cryptographic tokens.

The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM) and smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it.

The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Most commercial certificate authority software uses PKCS #11 to access the CA signing key or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead.

This section is in list format but may read better as prose. You can help by converting this section, if appropriate. Editing help is available. (November 2014)

• 01/1994: project launched
• 04/1995: v1.0 published
• 12/1997: v2.01 published
• 12/1999: v2.10 published
• 01/2001: v2.11 published
• 06/2004: v2.20 published^[1]
• 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP ^[2])
• 01/2007: amendment 3 (additional mechanisms)
• 09/2009: v2.30 draft published for review, but final version never published
• 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS ^[3]
• 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 ^[4]
• 09/2014: OASIS PKCS #11 v2.40 now Committee Specification (complete)

• List of applications using PKCS #11
• Microsoft CryptoAPI

• OASIS PKCS #11 TC page
• Cryptsoft page on PKCS #11