In cryptography, PKCS #11 is a Public-Key Cryptography Standards that defines a C programming interface to create and manipulate cryptographic tokens that may contain secret cryptographic keys. It is often used to communicate with a Hardware Security Module or smart cards.

The PKCS #11 standard is managed by OASIS^[1] with the current version being 3.1 ^[2] PKCS #11 is sometimes referred to as "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key").

The API defines most commonly used cryptographic object types (RSA keys, X.509 certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Most commercial certificate authority (CA) software uses PKCS #11 to access the CA signing key^{[clarification needed]} or to enroll user certificates. Cross-platform software that needs to use smart cards uses PKCS #11, such as Mozilla Firefox and OpenSSL (using an extension). It is also used to access smart cards and HSMs. Software written for Microsoft Windows may use the platform specific MS-CAPI API instead. Both Oracle Solaris and Red Hat Enterprise Linux contain implementations for use by applications, as well.

The Key Management Interoperability Protocol (KMIP) defines a wire protocol that has similar functionality to the PKCS#11 API.

The two standards were originally developed independently but are now both governed by an OASIS technical committee. It is the stated objective of both the PKCS #11 and KMIP committees to align the standards where practicable. KMIP also has special operations that provide a complete standards based wire protocol for PKCS #11.

There is considerable overlap between members of the two technical committees.

The PKCS#11 standard originated from RSA Security along with its other PKCS standards in 1994. In 2013, RSA contributed the latest draft revision of the standard (PKCS#11 2.30) to OASIS to continue the work on the standard within the newly created OASIS PKCS11 Technical Committee.^[3] The following list contains significant revision information:

• 01/1994: project launched
• 04/1995: v1.0 published
• 12/1997: v2.01 published
• 12/1999: v2.10 published
• 01/2001: v2.11 published
• 06/2004: v2.20 published^[1]
• 12/2005: amendments 1 & 2 (one-time password tokens, CT-KIP ^[4])
• 01/2007: amendment 3 (additional mechanisms)
• 09/2009: v2.30 draft published for review, but final version never published
• 12/2012: RSA announce that PKCS #11 management is being transitioned to OASIS^[5]
• 03/2013: OASIS PKCS #11 Technical Committee Inaugural meetings, works starts on v2.40 ^[6]
• 04/2015: OASIS PKCS #11 v2.40 specifications become approved OASIS standards ^[7]
• 05/2016: OASIS PKCS #11 v2.40 Errata 01 specifications become approved OASIS errata ^[8]
• 07/2020: OASIS PKCS #11 v3.0 specifications become approved OASIS standards ^[9]
• 07/2023: OASIS PKCS #11 v3.1 specifications become approved OASIS standards ^[2]

• Microsoft CryptoAPI

• RFC 7512 - The PKCS #11 URI Scheme
• PKCS#11: Cryptographic Token Interface Standard
• OASIS PKCS #11 Technical Committee home page