CAC modules
David Woodhouse
dwmw2 at infradead.org
Wed Jul 11 14:39:39 EDT 2012
On Wed, 2012-07-11 at 13:59 -0400, Mcclelland, Michael B Mr CTR USN USA
wrote:
> The fedora setup was extremely easy by comparison to Ubuntu and the
> p11 tools command actually lists my certs unlike the Ubuntu build.
> Openconnect worked immediately with the CAC card too. Unfortunately,
> I miss-typed the openconnect command and it locked out my CAC. I can
> get it unlocked today but I would like to move ahead with rebuilding
> the gui to support certificate selection to protect myself from my
> clumsy typing.
The GUI in Fedora is the latest there is; it doesn't yet let you select
a certificate from your token. But you can configure it that way by
hand, and then it does *work* for connecting. Configure all the *other*
details through the UI, but not the certificate. Then, as root, edit the
file in /etc/NetworkManager/system-connections/ which corresponds to
your VPN connection, and put the PKCS#11 URL into the 'usercert=' line.
You can ignore the userkey= line and leave it empty. Just put the URL,
*without* the ;object-type=xxx attribute part that distinguishes between
key and cert, into the usercert= line.
Some parts of the URL are optional; you probably only really need the
ID. My test case looks like this:
usercert=pkcs11:id=0%d5%fd%2b%ae%f2%98%ff%9b%c3S%95%7ds%f8%09%99%ba%5c%c7
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120711/b4860c34/attachment.bin>
More information about the openconnect-devel
mailing list