openconnect with Belgian EID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

thxs for your reply.
I must say I'm not really a cert expert.

So what I'm guess what you are saying is that I should link also the ca of my EID to openconnect?

When I list the certs on my EID i get this list


% p11tool --list-certs --login
Token 'BELPIC (Basic PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=%28unknown%29;serial=930D224B9E012C44;token=BELPIC%20%28Basic%20PIN%29' requires user PIN
Enter PIN:
Object 0:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%02;object=Authentication;object-type=cert
     Type: X.509 Certificate
     Label: Authentication
     ID: 02

Object 1:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%03;object=Signature;object-type=cert
     Type: X.509 Certificate
     Label: Signature
     ID: 03

Object 2:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%04;object=CA;object-type=cert
     Type: X.509 Certificate
     Label: CA
     ID: 04

Object 3:
     URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%06;object=Root;object-type=cert
     Type: X.509 Certificate
     Label: Root
     ID: 06

So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11:
The ID 04(label CA) I should export and then pass to openconnect with the --cafile option?

Cheers
Christof


On 11/05/2013 01:36 PM, David Woodhouse wrote:
> On Tue, 2013-11-05 at 11:20 +0100, Christof Haerens wrote:
>> I try to connect to cisco with openconnect and my Belgian EID card. My
>> access is ok and no user/pw is needed. This is verified with my card
>> and using the anyconnect on windows.
> Hm, that really looks like it *ought* to be working. The only thing I
> can think of is that your server might need the full certificate trust
> chain, instead of just the 'leaf' cert itself. Can you ensure that your
> certificate authorities are installed correctly (or just use the
> --cafile option), and that you have a full trust chain for your personal
> cert? That way, openconnect will *offer* that chain on the wire, which
> might help with authentication.
>
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux