On Wed, 2012-07-11 at 13:59 -0400, Mcclelland, Michael B Mr CTR USN USA wrote: > The fedora setup was extremely easy by comparison to Ubuntu and the > p11 tools command actually lists my certs unlike the Ubuntu build. > Openconnect worked immediately with the CAC card too. Unfortunately, > I miss-typed the openconnect command and it locked out my CAC. I can > get it unlocked today but I would like to move ahead with rebuilding > the gui to support certificate selection to protect myself from my > clumsy typing. The GUI in Fedora is the latest there is; it doesn't yet let you select a certificate from your token. But you can configure it that way by hand, and then it does *work* for connecting. Configure all the *other* details through the UI, but not the certificate. Then, as root, edit the file in /etc/NetworkManager/system-connections/ which corresponds to your VPN connection, and put the PKCS#11 URL into the 'usercert=' line. You can ignore the userkey= line and leave it empty. Just put the URL, *without* the ;object-type=xxx attribute part that distinguishes between key and cert, into the usercert= line. Some parts of the URL are optional; you probably only really need the ID. My test case looks like this: usercert=pkcs11:id=0%d5%fd%2b%ae%f2%98%ff%9b%c3S%95%7ds%f8%09%99%ba%5c%c7 -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120711/b4860c34/attachment.bin>
