read cert from smart card
Mithat Bozkurt
mithatbozkurt at gmail.com
Wed Feb 24 05:19:43 PST 2016
I am running on ubuntu
mithat at adige:/etc/pkcs11/modules$ p11tool --export
'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' |
openssl x509 -noout -text
Error in pkcs11_export:257: The requested data were not available.
unable to load certificate
139988361840272:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
mithat at adige:/etc/pkcs11/modules$ p11tool --export
'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' |
openssl x509 -noout -text
Error in pkcs11_export:257: The requested data were not available.
unable to load certificate
140102225475216:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
2016-02-24 15:00 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:
>> I completely understand what you say now. I wil contact with TUBITAK
>> on that why i .
>>
>> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32
>
> ...
>
> OK, so you have two certificates in your device, and it's given you the
> *full* PKCS#11 URI for each of them. Note that you don't have to use
> the full URI to specify it — you only need enough to be unique. Which
> is why you could specify the token by only its serial number; you
> didn't need to include the messy model/manufacturer/token fields too.
>
> Likewise, it looks like you can specify your certificates/keys by only
> their label (the object=xxx part), and don't need to specify the ID.
>
> A simple PKCS#11 URI you can use with OpenConnect is either
> pkcs11:serial=0036218D34081A32;object=62917107586SIGN0
> or
> pkcs11:serial=0036218D34081A32;object=62917107586NES0
>
> (Because of the semicolon, make sure you put it in quotes on the
> OpenConnect command line).
>
> If you compare with your p11tool output, you'll note that each partial
> URI above actually matches one than one object. When OpenConnect
> automatically adds ';type=cert' it gets the X.509 certificate, and when
> it adds 'type=private' it gets the corresponding private key.
>
> To work out *which* of those two cert+key pairs you need, either just
> try each one, or you can inspect the certs by running:
>
> p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text
> or
> p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text
>
>
> If you are running on Fedora, at this point it is considered a bug for
> *any* application which accepts certs in filenames, not to accept the
> above PKCS#11 URIs instead of a filename. Please file bugs if you find
> any such applications, and Cc me.
>
> --
> David Woodhouse Open Source Technology Centre
> David.Woodhouse at intel.com Intel Corporation
>
More information about the openconnect-devel
mailing list