openconnect with Belgian EID

Christof Haerens christof at
Tue Nov 5 09:56:00 EST 2013


thxs for your reply.
I must say I'm not really a cert expert.

So what I'm guess what you are saying is that I should link also the ca of my EID to openconnect?

When I list the certs on my EID i get this list

% p11tool --list-certs --login
Token 'BELPIC (Basic PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=%28unknown%29;serial=930D224B9E012C44;token=BELPIC%20%28Basic%20PIN%29' requires user PIN
Enter PIN:
Object 0:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%02;object=Authentication;object-type=cert
     Type: X.509 Certificate
     Label: Authentication
     ID: 02

Object 1:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%03;object=Signature;object-type=cert
     Type: X.509 Certificate
     Label: Signature
     ID: 03

Object 2:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%04;object=CA;object-type=cert
     Type: X.509 Certificate
     Label: CA
     ID: 04

Object 3:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%06;object=Root;object-type=cert
     Type: X.509 Certificate
     Label: Root
     ID: 06

So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11:
The ID 04(label CA) I should export and then pass to openconnect with the --cafile option?


On 11/05/2013 01:36 PM, David Woodhouse wrote:
> On Tue, 2013-11-05 at 11:20 +0100, Christof Haerens wrote:
>> I try to connect to cisco with openconnect and my Belgian EID card. My
>> access is ok and no user/pw is needed. This is verified with my card
>> and using the anyconnect on windows.
> Hm, that really looks like it *ought* to be working. The only thing I
> can think of is that your server might need the full certificate trust
> chain, instead of just the 'leaf' cert itself. Can you ensure that your
> certificate authorities are installed correctly (or just use the
> --cafile option), and that you have a full trust chain for your personal
> cert? That way, openconnect will *offer* that chain on the wire, which
> might help with authentication.

More information about the openconnect-devel mailing list