On Wed, 2014-12-03 at 17:12 -0600, mrainey wrote: > Hello, > > I have been working on this problem for a few days now and have > exhausted my testing knowledge for this problem. I currently have a > fresh install of Xubuntu 14.10 32-bit on a Dell inspirion 6000. I am > trying to use openconnect to a Cisco VPN server by logging in with a > CAC. I have followed the steps at the link below to enable CAC login. > > http://www.gooze.eu/fr/forums/support/howto-connect-to-cisco-anyconnect-vpn-using-openconnect-and-pki-token > > Xubuntu 14.10 installs the following packages from the repository. > openconnect 6.00-1 > gnutis-bin 3.2.16 > > From here I run the command > > openconnect -c > 'pkcs11:model=PKCS%2315% > 20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II% > 20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key' > vpn.server.srv So this is shorthand. OpenConnect needs a certificate *and* a key. You've given it just one string, and it'll helpfully append ';object-type=cert' to find the certificate and ';object-type=private' to find the private key. You've showed us that when it tries to find the certificate, it fails. That's because the cert and matching key have *different* object names. You can see this for yourself by running: p11tool --login --list-all pkcs11:manufacturer=piv_II' This is the key you're using: Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private Type: Private key Label: PIV AUTH key Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; ID: 01 And this is the matching certificate: Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=06b508843810d7f6;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert Type: X.509 Certificate Label: Certificate for PIV Authentication ID: 01 Note that the *labels* (the object= part) are different. Which is a bit bloody stupid, but there you go. You're overspecifying, and that's why it's not finding the certificate. Just drop the ;object=KEY%20%AUTH%20key part. And in fact you can drop a bunch of other redundant stuff too. Just use something simple like: -c 'pkcs11:manufacturer=piv_II;id=%01' ... and that should be sufficient to identify *both* the certificate and the key. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141204/eb46b430/attachment.bin>
