I'll agree that it is a bit weird that we are using an email certificate to login but for some reason that was the only way that our ASA seemed to work. It was a design choice that happened long before I was on board. In any case I'm up and running on Ubuntu as well. I had one lingering question though regarding certificates: openconnect --cafile=/etc/ssl/certs/ca-certificates.crt -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%02;object=CAC%20Email%20Signature%20Certificate' https://server.domain/vpn2 I had to add DOD CA certificates to the system certificate store in order to form a trusted connection. My certificate store appears to work for other applications but OpenConnect doesn't seem to accept it unless I explicitly add the syntax to do so. Does this imply that Openconnect is acting upon an warning flag from gnutls? -----Original Message----- From: David Woodhouse [mailto:dwmw2 at infradead.org] Sent: Monday, July 16, 2012 7:31 PM To: Mcclelland, Michael B Mr CTR USN USA Cc: 'Mike Miller'; openconnect-devel at lists.infradead.org Subject: Re: CAC modules On Mon, 2012-07-16 at 13:17 -0400, Mcclelland, Michael B Mr CTR USN USA wrote: > $ openconnect -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03; > object=CAC%20Email%20Encryption%20Certificate' https://server.domain Btw, you were using the 'CAC ID Certificate' before, and now you're using the 'CAC Email Encryption Certificate'. Is that going to work? -- dwmw2
