diff --git a/CHANGES b/CHANGES
index d249bb6a8f..cad6afeea1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4355.	[func]		"pkcs11-list" now displays the extractability
+			attribute of private or secret keys stored in
+			an HSM, as either "true", "false", or "never"
+			Thanks to Daniel Stirnimann. [RT #36557]
+
 4354.	[bug]		Check that the received HMAC length matches the
 			expected length prior to check the contents on the
 			control channel.  This prevents a OOB read error.
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 4ef6a7a62d..e84f909c01 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -196,11 +196,17 @@ main(int argc, char *argv[]) {
 			CK_OBJECT_CLASS oclass = 0;
 			CK_BYTE labelbuf[64 + 1];
 			CK_BYTE idbuf[64];
+			CK_BBOOL extract = TRUE;
+			CK_BBOOL never = FALSE;
 			CK_ATTRIBUTE template[] = {
 				{CKA_CLASS, &oclass, sizeof(oclass)},
 				{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
 				{CKA_ID, idbuf, sizeof(idbuf)}
 			};
+			CK_ATTRIBUTE priv_template[] = {
+				{CKA_EXTRACTABLE, &extract, sizeof(extract)},
+				{CKA_NEVER_EXTRACTABLE, &never, sizeof(never)}
+			};
 
 			memset(labelbuf, 0, sizeof(labelbuf));
 			memset(idbuf, 0, sizeof(idbuf));
@@ -233,7 +239,7 @@ main(int argc, char *argv[]) {
 			if (len == 2) {
 				id = (idbuf[0] << 8) & 0xff00;
 				id |= idbuf[1] & 0xff;
-				printf("%u\n", id);
+				printf("%u", id);
 			} else {
 				if (len > 8)
 					len = 8;
@@ -242,10 +248,17 @@ main(int argc, char *argv[]) {
 				for (j = 0; j < len; j++)
 					printf("%02x", idbuf[j]);
 				if (template[2].ulValueLen > len)
-					printf("...\n");
-				else
-					printf("\n");
+					printf("...");
 			}
+			if ((oclass == CKO_PRIVATE_KEY ||
+			     oclass == CKO_SECRET_KEY) &&
+			    pkcs_C_GetAttributeValue(hSession, akey[i],
+					priv_template, 2) == CKR_OK) {
+				printf(" E:%s",
+				       extract ? "true" :
+				       (never ? "never" : "false"));
+			}
+			printf("\n");
 		}
 	}
 
diff --git a/bin/pkcs11/pkcs11-list.docbook b/bin/pkcs11/pkcs11-list.docbook
index 77c1ca1c19..3065f27342 100644
--- a/bin/pkcs11/pkcs11-list.docbook
+++ b/bin/pkcs11/pkcs11-list.docbook
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +40,7 @@
       <year>2009</year>
       <year>2014</year>
       <year>2015</year>
+      <year>2016</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -62,6 +63,10 @@
       <command>pkcs11-list</command>
       lists the PKCS#11 objects with <option>ID</option> or
       <option>label</option> or by default all objects.
+      The object class, label, and ID are displayed for all
+      keys.  For private or secret keys, the extractability
+      attribute is also displayed, as either <literal>true</literal>,
+      <literal>false</literal>, or <literal>never</literal>.
     </para>
   </refsection>
 
diff --git a/util/copyrights b/util/copyrights
index 76f78e679f..f75c335075 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -333,8 +333,8 @@
 ./bin/pkcs11/pkcs11-keygen.docbook		SGML	2009,2014,2015
 ./bin/pkcs11/pkcs11-keygen.html			HTML	DOCBOOK
 ./bin/pkcs11/pkcs11-list.8			MAN	DOCBOOK
-./bin/pkcs11/pkcs11-list.c			X	2009,2014,2015
-./bin/pkcs11/pkcs11-list.docbook		SGML	2009,2014,2015
+./bin/pkcs11/pkcs11-list.c			C	2009,2014,2015,2016
+./bin/pkcs11/pkcs11-list.docbook		SGML	2009,2014,2015,2016
 ./bin/pkcs11/pkcs11-list.html			HTML	DOCBOOK
 ./bin/pkcs11/pkcs11-tokens.8			MAN	DOCBOOK
 ./bin/pkcs11/pkcs11-tokens.c			C	2014,2015