openconnect with Belgian EID

David Woodhouse dwmw2 at
Tue Nov 5 10:14:00 EST 2013

On Tue, 2013-11-05 at 15:56 +0100, Christof Haerens wrote:
> So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11:
> The ID 04(label CA) I should export and then pass to openconnect with the --cafile option?

That or the 'Root' one. I'd export them *both* and put them in a single
file and use that with the --cafile option.

If either of them are responsible for signing your personal cert, then
OpenConnect will include them in its SSL negotiation, and that can often
'help' the server to realise that it actually *does* trust the cert in

If that's the issue, then perhaps OpenConnect needs to be taught to go
looking for these 'supporting' certs in the PKCS#11 store, as well as
the --cafile. But then again, perhaps GnuTLS ought to do that for



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list