read cert from smart card
dwmw2 at infradead.org
Thu Feb 25 00:45:11 PST 2016
On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote:
> I don't understand why I export cert to file. I think device should
> block this action because this is my e-signature cert.
No, the non-exportable part is the private key. The certificate is
public, and declares that anyone who can prove that they have that
private key, is whoever is identified as the subject of the
If you go to secure web sites, you can inspect their *certificates* to
check who they are. That's kind of the point. What you can't get is
their matching private key.
On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote:
> Do I need specify 'type=private' to say 'use my private cert for user
No, OpenConnect needs to use *both* the certificate and the
corresponding private key. It will append ';type=cert' or
';type=private' to the URI you give it, as appropriate. Note that it
still isn't *exporting* the private key; it's using it in-place.
TBH if OpenSC is supposed to drive this card, I really think you're
better off pursuing that approach rather than persisting with the
broken proprietary PKCS#11 token.
Can you try
as described in the 'Debugging OpenSC' link I gave you?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5691 bytes
Desc: not available
More information about the openconnect-devel