> Wouldn't it help to get the new key fingerprint using a command of > openconnect? Well, openconnect will already show it when you try to connect, but it might be useful to have a way to generate it for an arbitrary certificate from a PEM file. But in some cases the user already *has* the sha1 of the full cert, rather than the full cert itself, and that's perfectly sufficient for them to safely say "yes". FWIW I had thought about other "utility" functions we should add too -- listing the available tap devices under Windows, and listing available PKCS#11 certs/keys rather than requiring p11tool for that. OpenVPN does both of those. Happy (imminent) new year, BTW. -- dwmw2