On Sat, 2016-02-20 at 21:35 +0200, Mithat Bozkurt wrote: > Hello > > However I read your html pages mentioned PKCS#11 I couldn't find a way > to use smart > card(ACS 38T) with openconnect. > > My client certificate is in PKCS#11 compliance device and I couldn't > export it due > to it is e-signature cert. > > I installed network-manager-openconnect-gnome and I see only the > following selection. > RSA SecureID read from ~/.stokenrc > RSA SecureID (manually entered) > TOTP (manually entered) > HOTP (manually entered) > > > Do I see PKCS#11 also? No. NetworkManager is completely lacking any GUI to let you select certificates from PKCS#11. This is?https://bugzilla.gnome.org/679860 Thankfully there's a simple workaround. Just configure the connection with a (dummy) file and then edit the resulting configuration file manually and enter the PKCS#11 URI for your certificate. However... > output of "p11tool --list-tokens". There is no my token manufacturer. That looks like your PKCs#11 module hasn't been installed correctly. What is it? Are you using OpenSC (in which case the Ubuntu package seems to be broken), or some third-party device with its own PKCS#11 library that you have to install (in which case their install instructions are broken). You should have a file somewhere like /usr/share/p11-kit/modules which directs p11-kit to load the module in question. https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html > And I can access my certificate for signing a document without any problem. Using what software, and how does it find your PKCS#11 token. Sounds like the software that is working is actually "broken" in some sense of the word too, since it seems *not* to be using the system's p11-kit configuration as it should. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160221/51302849/attachment.bin>
