On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote: > > I don't understand why I export cert to file. I think device should > block this action because this is my e-signature cert. No, the non-exportable part is the private key. The certificate is public, and declares that anyone who can prove that they have that private key, is whoever is identified as the subject of the certificate. If you go to secure web sites, you can inspect their *certificates* to check who they are. That's kind of the point. What you can't get is their matching private key. And later... On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote: > Do I need specify 'type=private' to say 'use my private cert for user > cert'? No, OpenConnect needs to use *both* the certificate and the corresponding private key. It will append ';type=cert' or ';type=private' to the URI you give it, as appropriate. Note that it still isn't *exporting* the private key; it's using it in-place. TBH if OpenSC is supposed to drive this card, I really think you're better off pursuing that approach rather than persisting with the broken proprietary PKCS#11 token. Can you try ?opensc-tool -l ?opensc-tool --atr ?opensc-tool --name as described in the 'Debugging OpenSC' link I gave you? --? dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160225/a0a51d7a/attachment-0001.bin>
