CAC modules

Mcclelland, Michael B Mr CTR USN USA michael.b.mcclelland at us.army.mil
Wed Jul 11 16:35:27 EDT 2012 

So if I understand you right...
 out of the full: 
pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=private

I just use
Pkcs11: CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00

Sorry for asking to be spoon fed.  I have very limited attempts to login before my card locks itself

-----Original Message-----
From: David Woodhouse [mailto:dwmw2 at infradead.org] 
Sent: Wednesday, July 11, 2012 2:40 PM
To: Mcclelland, Michael B Mr CTR USN USA
Cc: openconnect-devel at lists.infradead.org
Subject: Re: CAC modules

On Wed, 2012-07-11 at 13:59 -0400, Mcclelland, Michael B Mr CTR USN USA
wrote:
> The fedora setup was extremely easy by comparison to Ubuntu and the
> p11 tools command actually lists my certs unlike the Ubuntu build.
> Openconnect worked immediately with the CAC card too.  Unfortunately,
> I miss-typed the openconnect command and it locked out my CAC.  I can
> get it unlocked today but I would like to move ahead with rebuilding
> the gui to support certificate selection to protect myself from my
> clumsy typing.

The GUI in Fedora is the latest there is; it doesn't yet let you select
a certificate from your token. But you can configure it that way by
hand, and then it does *work* for connecting. Configure all the *other*
details through the UI, but not the certificate. Then, as root, edit the
file in /etc/NetworkManager/system-connections/ which corresponds to
your VPN connection, and put the PKCS#11 URL into the 'usercert=' line.

You can ignore the userkey= line and leave it empty. Just put the URL,
*without* the ;object-type=xxx attribute part that distinguishes between
key and cert, into the usercert= line.

Some parts of the URL are optional; you probably only really need the
ID. My test case looks like this:
usercert=pkcs11:id=0%d5%fd%2b%ae%f2%98%ff%9b%c3S%95%7ds%f8%09%99%ba%5c%c7


-- 
dwmw2

More information about the openconnect-devel mailing list