read cert from smart card
David Woodhouse
dwmw2 at infradead.org
Sun Feb 21 08:31:14 PST 2016
On Sat, 2016-02-20 at 21:35 +0200, Mithat Bozkurt wrote:
> Hello
>
> However I read your html pages mentioned PKCS#11 I couldn't find a way
> to use smart
> card(ACS 38T) with openconnect.
>
> My client certificate is in PKCS#11 compliance device and I couldn't
> export it due
> to it is e-signature cert.
>
> I installed network-manager-openconnect-gnome and I see only the
> following selection.
> RSA SecureID read from ~/.stokenrc
> RSA SecureID (manually entered)
> TOTP (manually entered)
> HOTP (manually entered)
>
>
> Do I see PKCS#11 also?
No. NetworkManager is completely lacking any GUI to let you select
certificates from PKCS#11. This is https://bugzilla.gnome.org/679860
Thankfully there's a simple workaround. Just configure the connection
with a (dummy) file and then edit the resulting configuration file
manually and enter the PKCS#11 URI for your certificate.
However...
> output of "p11tool --list-tokens". There is no my token manufacturer.
That looks like your PKCs#11 module hasn't been installed correctly.
What is it? Are you using OpenSC (in which case the Ubuntu package
seems to be broken), or some third-party device with its own PKCS#11
library that you have to install (in which case their install
instructions are broken).
You should have a file somewhere like /usr/share/p11-kit/modules which
directs p11-kit to load the module in question.
https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
> And I can access my certificate for signing a document without any problem.
Using what software, and how does it find your PKCS#11 token. Sounds
like the software that is working is actually "broken" in some sense of
the word too, since it seems *not* to be using the system's p11-kit
configuration as it should.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160221/51302849/attachment.bin>
More information about the openconnect-devel
mailing list