I am running on ubuntu mithat at adige:/etc/pkcs11/modules$ p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text Error in pkcs11_export:257: The requested data were not available. unable to load certificate 139988361840272:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE mithat at adige:/etc/pkcs11/modules$ p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text Error in pkcs11_export:257: The requested data were not available. unable to load certificate 140102225475216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE 2016-02-24 15:00 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>: > On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote: >> I completely understand what you say now. I wil contact with TUBITAK >> on that why i . >> >> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32 > > ... > > OK, so you have two certificates in your device, and it's given you the > *full* PKCS#11 URI for each of them. Note that you don't have to use > the full URI to specify it ? you only need enough to be unique. Which > is why you could specify the token by only its serial number; you > didn't need to include the messy model/manufacturer/token fields too. > > Likewise, it looks like you can specify your certificates/keys by only > their label (the object=xxx part), and don't need to specify the ID. > > A simple PKCS#11 URI you can use with OpenConnect is either > pkcs11:serial=0036218D34081A32;object=62917107586SIGN0 > or > pkcs11:serial=0036218D34081A32;object=62917107586NES0 > > (Because of the semicolon, make sure you put it in quotes on the > OpenConnect command line). > > If you compare with your p11tool output, you'll note that each partial > URI above actually matches one than one object. When OpenConnect > automatically adds ';type=cert' it gets the X.509 certificate, and when > it adds 'type=private' it gets the corresponding private key. > > To work out *which* of those two cert+key pairs you need, either just > try each one, or you can inspect the certs by running: > > p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text > or > p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text > > > If you are running on Fedora, at this point it is considered a bug for > *any* application which accepts certs in filenames, not to accept the > above PKCS#11 URIs instead of a filename. Please file bugs if you find > any such applications, and Cc me. > > -- > David Woodhouse Open Source Technology Centre > David.Woodhouse at intel.com Intel Corporation >
