So if I understand you right... out of the full: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=private I just use Pkcs11: CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00 Sorry for asking to be spoon fed. I have very limited attempts to login before my card locks itself -----Original Message----- From: David Woodhouse [mailto:dwmw2 at infradead.org] Sent: Wednesday, July 11, 2012 2:40 PM To: Mcclelland, Michael B Mr CTR USN USA Cc: openconnect-devel at lists.infradead.org Subject: Re: CAC modules On Wed, 2012-07-11 at 13:59 -0400, Mcclelland, Michael B Mr CTR USN USA wrote: > The fedora setup was extremely easy by comparison to Ubuntu and the > p11 tools command actually lists my certs unlike the Ubuntu build. > Openconnect worked immediately with the CAC card too. Unfortunately, > I miss-typed the openconnect command and it locked out my CAC. I can > get it unlocked today but I would like to move ahead with rebuilding > the gui to support certificate selection to protect myself from my > clumsy typing. The GUI in Fedora is the latest there is; it doesn't yet let you select a certificate from your token. But you can configure it that way by hand, and then it does *work* for connecting. Configure all the *other* details through the UI, but not the certificate. Then, as root, edit the file in /etc/NetworkManager/system-connections/ which corresponds to your VPN connection, and put the PKCS#11 URL into the 'usercert=' line. You can ignore the userkey= line and leave it empty. Just put the URL, *without* the ;object-type=xxx attribute part that distinguishes between key and cert, into the usercert= line. Some parts of the URL are optional; you probably only really need the ID. My test case looks like this: usercert=pkcs11:id=0%d5%fd%2b%ae%f2%98%ff%9b%c3S%95%7ds%f8%09%99%ba%5c%c7 -- dwmw2
