On Tue, 2013-11-05 at 15:56 +0100, Christof Haerens wrote: > > So the ID 02 is Authentication, which is the one I use in openconnect -c pkcs11: > The ID 04(label CA) I should export and then pass to openconnect with the --cafile option? That or the 'Root' one. I'd export them *both* and put them in a single file and use that with the --cafile option. If either of them are responsible for signing your personal cert, then OpenConnect will include them in its SSL negotiation, and that can often 'help' the server to realise that it actually *does* trust the cert in question. If that's the issue, then perhaps OpenConnect needs to be taught to go looking for these 'supporting' certs in the PKCS#11 store, as well as the --cafile. But then again, perhaps GnuTLS ought to do that for itself. Nikos? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131105/609c1f2e/attachment-0001.bin>
