CAC modules

Mcclelland, Michael B Mr CTR USN USA michael.b.mcclelland at us.army.mil
Thu Jul 12 10:54:09 EDT 2012 

Trying to get over the last hill but I'm coming up short.  I've tried multiple combinations of syntax but what I'm inputting doesn't seem to work.  I'll retry the Ubuntu build based on your suggestions as soon as possible I'm just tunnel vision on Fedora since I'm so close.  

openconnect -c 'pkcs11:id=%00%01;object=CAC%20ID%20Certificate;' https://testtesttest.test

Attempting to connect to xxx.xxx.xx.xxx:443
Error importing PKCS#11 URL pkcs11:id=%00%01;object=CAC%20ID%20Certificate;object-type=private;pin-source=openconnect%3a0x9fa2f90: The requested data were not available.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to testtesttest.test
Failed to obtain WebVPN cookie
[root at fedora view]#

Output from p11tools --list-all-certs --login

Object 136:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%01;object=CAC%20ID%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC ID Certificate
    ID: 00:01

Object 137:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC Email Signature Certificate
    ID: 00:02

Object 138:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC Email Encryption Certificate
    ID: 00:03

Thanks again for taking the time
MM

-----Original Message-----
From: David Woodhouse [mailto:dwmw2 at infradead.org] 
Sent: Wednesday, July 11, 2012 5:28 PM
To: Mcclelland, Michael B Mr CTR USN USA
Cc: openconnect-devel at lists.infradead.org
Subject: Re: CAC modules

On Wed, 2012-07-11 at 16:35 -0400, Mcclelland, Michael B Mr CTR USN USA
wrote:
> So if I understand you right...
>  out of the full: 
> pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=private
> 
> I just use
> Pkcs11: CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00
> 
> Sorry for asking to be spoon fed.  I have very limited attempts to login before my card locks itself

It doesn't *hurt* to use the whole thing, but you ought to get away with
just pkcs11:id=%00%03;object=CAC%20Email%20Encryption%20Certificate

Hopefully your token shouldn't lock you out just for using an object
that doesn't exist; only if you get the PIN wrong?

-- 
dwmw2

More information about the openconnect-devel mailing list