Hi, thxs for your reply. I must say I'm not really a cert expert. So what I'm guess what you are saying is that I should link also the ca of my EID to openconnect? When I list the certs on my EID i get this list % p11tool --list-certs --login Token 'BELPIC (Basic PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=%28unknown%29;serial=930D224B9E012C44;token=BELPIC%20%28Basic%20PIN%29' requires user PIN Enter PIN: Object 0: URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%02;object=Authentication;object-type=cert Type: X.509 Certificate Label: Authentication ID: 02 Object 1: URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%03;object=Signature;object-type=cert Type: X.509 Certificate Label: Signature ID: 03 Object 2: URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%04;object=CA;object-type=cert Type: X.509 Certificate Label: CA ID: 04 Object 3: URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=****;token=BELPIC%20%28Basic%20PIN%29;id=%06;object=Root;object-type=cert Type: X.509 Certificate Label: Root ID: 06 So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11: The ID 04(label CA) I should export and then pass to openconnect with the --cafile option? Cheers Christof On 11/05/2013 01:36 PM, David Woodhouse wrote: > On Tue, 2013-11-05 at 11:20 +0100, Christof Haerens wrote: >> I try to connect to cisco with openconnect and my Belgian EID card. My >> access is ok and no user/pw is needed. This is verified with my card >> and using the anyconnect on windows. > Hm, that really looks like it *ought* to be working. The only thing I > can think of is that your server might need the full certificate trust > chain, instead of just the 'leaf' cert itself. Can you ensure that your > certificate authorities are installed correctly (or just use the > --cafile option), and that you have a full trust chain for your personal > cert? That way, openconnect will *offer* that chain on the wire, which > might help with authentication. >