read cert from smart card

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Thu Feb 25 00:03:51 PST 2016

On Thu, Feb 25, 2016 at 8:15 AM, Mithat Bozkurt <mithatbozkurt at> wrote:
> mithat at adige:~$ p11tool -v
> p11tool 3.3.15
> Copyright (C) 2000-2015 Free Software Foundation, and others, all
> rights reserved.
> This is free software. It is licensed for use, modification and
> redistribution under the terms of the GNU General Public License,
> version 3 or later <>
> mithat at adige:~$ p11tool -d 4 --export
> 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert'
> Setting log level to 4
> |<2>| p11: Initializing module: p11-kit-trust
> |<2>| p11: Initializing module: akis
> |<2>| p11: Initializing module: gnome-keyring
> |<3>| ASSERT: pkcs11.c:503
> |<2>| Initializing PKCS #11 modules
> |<2>| p11: Skipped object, missing attrs.
> |<3>| ASSERT: pkcs11.c:1758
> |<3>| ASSERT: pkcs11.c:1685
> |<3>| ASSERT: pkcs11.c:1824
> Error in pkcs11_export:257: The requested data were not available.
> I don't understand why I export cert to file. I think device should
> block this action because this is my e-signature cert.

If the certificate is not exportable then you cannot use it for
openconnect or any other application (note that this is the
'certificate' which has public parameters, not the private key). Have
you tried adding --login to the export command line?


More information about the openconnect-devel mailing list