read cert from smart card

Mithat Bozkurt mithatbozkurt at
Thu Feb 25 03:25:55 PST 2016

mithat at adige:~$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             ACS ACR38U-CCID 00 00

mithat at adige:~$ opensc-tool --atr
Using reader with a card: ACS ACR38U-CCID 00 00

mithat at adige:~$ opensc-tool --name
Using reader with a card: ACS ACR38U-CCID 00 00
Unsupported card

2016-02-25 10:45 GMT+02:00 David Woodhouse <dwmw2 at>:
> On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote:
>> I don't understand why I export cert to file. I think device should
>> block this action because this is my e-signature cert.
> No, the non-exportable part is the private key. The certificate is
> public, and declares that anyone who can prove that they have that
> private key, is whoever is identified as the subject of the
> certificate.
> If you go to secure web sites, you can inspect their *certificates* to
> check who they are. That's kind of the point. What you can't get is
> their matching private key.
> And later...
> On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote:
>> Do I need specify 'type=private' to say 'use my private cert for user
>> cert'?
> No, OpenConnect needs to use *both* the certificate and the
> corresponding private key. It will append ';type=cert' or
> ';type=private' to the URI you give it, as appropriate. Note that it
> still isn't *exporting* the private key; it's using it in-place.
> TBH if OpenSC is supposed to drive this card, I really think you're
> better off pursuing that approach rather than persisting with the
> broken proprietary PKCS#11 token.
> Can you try
>  opensc-tool -l
>  opensc-tool --atr
>  opensc-tool --name
> as described in the 'Debugging OpenSC' link I gave you?
> --
> dwmw2

More information about the openconnect-devel mailing list