Error loading certificate from CAC.

David Woodhouse dwmw2 at infradead.org
Thu Dec 4 04:26:41 PST 2014 

On Wed, 2014-12-03 at 17:12 -0600, mrainey wrote:
> Hello,
> 
> I have been working on this problem for a few days now and have 
> exhausted my testing knowledge for this problem.  I currently have a 
> fresh install of Xubuntu 14.10 32-bit on a Dell inspirion 6000.  I am 
> trying to use openconnect to a Cisco VPN server by logging in with a 
> CAC.  I have followed the steps at the link below to enable CAC login.
> 
> http://www.gooze.eu/fr/forums/support/howto-connect-to-cisco-anyconnect-vpn-using-openconnect-and-pki-token
> 
> Xubuntu 14.10 installs the following packages from the repository.
> openconnect 6.00-1
> gnutis-bin 3.2.16
> 
>  From here I run the command
> 
> openconnect -c 
> 'pkcs11:model=PKCS%2315%
> 20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II%
> 20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key' 
> vpn.server.srv

So this is shorthand. OpenConnect needs a certificate *and* a key.

You've given it just one string, and it'll helpfully append
';object-type=cert' to find the certificate and ';object-type=private'
to find the private key.

You've showed us that when it tries to find the certificate, it fails.
That's because the cert and matching key have *different* object names.

You can see this for yourself by running:
	p11tool --login --list-all pkcs11:manufacturer=piv_II'

This is the key you're using:
Object 0:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private
        Type: Private key
        Label: PIV AUTH key
        Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
        ID: 01

And this is the matching certificate:

Object 2:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert
        Type: X.509 Certificate
        Label: Certificate for PIV Authentication
        ID: 01

Note that the *labels* (the object= part) are different. Which is a bit
bloody stupid, but there you go. You're overspecifying, and that's why
it's not finding the certificate.

Just drop the ;object=KEY%20%AUTH%20key part. And in fact you can drop a
bunch of other redundant stuff too. Just use something simple like:

 -c 'pkcs11:manufacturer=piv_II;id=%01'

... and that should be sufficient to identify *both* the certificate and
the key.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141204/eb46b430/attachment.bin>

More information about the openconnect-devel mailing list