CAC modules
Mcclelland, Michael B Mr CTR USN USA
michael.b.mcclelland at us.army.mil
Wed Jul 18 16:33:48 EDT 2012
I'll agree that it is a bit weird that we are using an email certificate to login but for some reason that was the only way that our ASA seemed to work. It was a design choice that happened long before I was on board. In any case I'm up and running on Ubuntu as well. I had one lingering question though regarding certificates:
openconnect --cafile=/etc/ssl/certs/ca-certificates.crt -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%02;object=CAC%20Email%20Signature%20Certificate' https://server.domain/vpn2
I had to add DOD CA certificates to the system certificate store in order to form a trusted connection. My certificate store appears to work for other applications but OpenConnect doesn't seem to accept it unless I explicitly add the syntax to do so. Does this imply that Openconnect is acting upon an warning flag from gnutls?
-----Original Message-----
From: David Woodhouse [mailto:dwmw2 at infradead.org]
Sent: Monday, July 16, 2012 7:31 PM
To: Mcclelland, Michael B Mr CTR USN USA
Cc: 'Mike Miller'; openconnect-devel at lists.infradead.org
Subject: Re: CAC modules
On Mon, 2012-07-16 at 13:17 -0400, Mcclelland, Michael B Mr CTR USN USA wrote:
> $ openconnect -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;
> object=CAC%20Email%20Encryption%20Certificate' https://server.domain
Btw, you were using the 'CAC ID Certificate' before, and now you're
using the 'CAC Email Encryption Certificate'. Is that going to work?
--
dwmw2
More information about the openconnect-devel
mailing list