Openconnect with PKCS11 on Ubunbtu 12.10

Lee Matthews lee_matthews at
Fri Sep 21 13:25:23 EDT 2012

David Woodhouse <dwmw2 <at>> writes:

> On Wed, 2012-09-19 at 19:03 +0000, Lee Matthews wrote:
> > 
> > David Woodhouse <dwmw2 <at>> writes:
> > Sorry about not posting the URL, 
> > the lines longer than 80 character thing was killing me...
> So ignore it and post long lines :)
> > Here is the URL:
> > Using PKCS#11 certificate pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%
> > Using PKCS#11 key pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%
> > Error importing PKCS#11 URL pkcs11:model=1.0;manufacturer=Gnome%
> OK, so it looks like you specified only the id= part of the URL;
> OpenConnect itself added the object-type and pin-source parts.
> However, if the private key isn't visible without a login (which I'm
> inferring is true since you were trying p11tool --login), looking it up
> by its ID doesn't work. You have to specify the token too.
> OpenConnect tries to work around this by *guessing* which token it's in.
> By looking for a visible *certificate* with the same ID. I'm guessing
> there is such a certificate in your GNOME Keyring token?
> Try adding an appropriate model= or token= parameter to the URL that you
> give on the command line. And if you can send me the output of a working
> --list-all-certs command, that might be enlightening. I'd like to know
> if OpenConnect is doing something *wrong* when it tries to guess which
> token to find the key in.

I have made some progress. My 1st issue was there was 
no /etc/gnutls/pkcs11.conf.
Once I created that and added load=/usr/lib/ things started to 
sudo ptool11 --list-all --login does not give the segmentation fault now.
I figured out what to pass in the pkcs11 URL and I am getting farther along 

Thanks again for your help, suggestions, patience and quick responses. I will 
test some more tonight when offsite.


More information about the openconnect-devel mailing list