On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote: > I completely understand what you say now. I wil contact with TUBITAK > on that why i??. > > mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32 ... OK, so you have two certificates in your device, and it's given you the *full* PKCS#11 URI for each of them. Note that you don't have to use the full URI to specify it ? you only need enough to be unique. Which is why you could specify the token by only its serial number; you didn't need to include the messy model/manufacturer/token fields too. Likewise, it looks like you can specify your certificates/keys by only their label (the object=xxx part), and don't need to specify the ID. A simple PKCS#11 URI you can use with OpenConnect is either ?pkcs11:serial=0036218D34081A32;object=62917107586SIGN0 or ?pkcs11:serial=0036218D34081A32;object=62917107586NES0 (Because of the semicolon, make sure you put it in quotes on the OpenConnect command line). If you compare with your p11tool output, you'll note that each partial URI above actually matches one than one object. When OpenConnect automatically adds ';type=cert' it gets the X.509 certificate, and when it adds 'type=private' it gets the corresponding private key. To work out *which* of those two cert+key pairs you need, either just try each one, or you can inspect the certs by running: p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text or p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text If you are running on Fedora, at this point it is considered a bug for *any* application which accepts certs in filenames, not to accept the above PKCS#11 URIs instead of a filename. Please file bugs if you find any such applications, and Cc me. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160224/d0e0b514/attachment-0001.bin>
