There's been some work on this before, but it never got merged:

http://lists.freedesktop.org/archives/p11-glue/2013-December/000415.html
http://lists.freedesktop.org/archives/p11-glue/2014-January/000422.html

I'm hoping to do something more specific to get this implemented, but wanted to at least file the bug so we have a tracker.

'p11-kit extract' / 'trust extract' can generate a directory containing basic "BEGIN CERTIFICATE" PEM certificate files, or it can generate a directory containing OpenSSL 'trusted certificates' - "BEGIN TRUSTED CERTIFICATE" - along with symlinks in the style generated by the 'c_rehash' utility...but it can't generate a directory of basic "BEGIN CERTIFICATE" files with the hash symlinks.

This would be desirable, because a directory of 'BEGIN CERTIFICATE' certs with hash symlinks is one of Debian's canonical formats. Debian provides a /etc/ssl/certs directory in this style, which also contains a bundle file, /etc/ssl/certs/ca-certificates.crt . It's known that several apps expect /etc/ssl/certs to be a hashed directory of this type. p11-kit having this ability would help other distros provide a /etc/ssl/certs in the Debian style, for compatibility with things that expect it.

OpenSUSE wrote a patch to allow this - that's the first link above - but it used an environment variable hack which neither downstream nor upstream thought was the best option. Stef suggested implementing it as a separate --format parameter, and everyone apparently agreed that was the right approach, but no-one got around to doing it yet. The proposed parameter is "--format=pem-hash-directory".

Basically, what needs doing is refactoring the OpenSUSE patch a bit to implement the separate parameter, rather than conditionalizing the behaviour of "--format=pem-directory".