Openconnect with PKCS11 on Ubunbtu 12.10

David Woodhouse dwmw2 at
Wed Sep 19 15:08:59 EDT 2012

On Wed, 2012-09-19 at 19:03 +0000, Lee Matthews wrote:
> David Woodhouse <dwmw2 <at>> writes:

> Sorry about not posting the URL, 
> the lines longer than 80 character thing was killing me...

So ignore it and post long lines :)

> Here is the URL:
> Using PKCS#11 certificate pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=cert;pin-source=openconnect%3a0xb8ce0ee8
> Using PKCS#11 key pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8
> Error importing PKCS#11 URL pkcs11:model=1.0;manufacturer=Gnome%20Keyring;token=Gnome2%20Key%20Storage;id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8:

OK, so it looks like you specified only the id= part of the URL;
OpenConnect itself added the object-type and pin-source parts.

However, if the private key isn't visible without a login (which I'm
inferring is true since you were trying p11tool --login), looking it up
by its ID doesn't work. You have to specify the token too.

OpenConnect tries to work around this by *guessing* which token it's in.
By looking for a visible *certificate* with the same ID. I'm guessing
there is such a certificate in your GNOME Keyring token?

Try adding an appropriate model= or token= parameter to the URL that you
give on the command line. And if you can send me the output of a working
--list-all-certs command, that might be enlightening. I'd like to know
if OpenConnect is doing something *wrong* when it tries to guess which
token to find the key in.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list