Hello Nikos however i tried --login parameter no pin input appears. result is same mithat at adige:~$ p11tool -d 4 --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert'--login Setting log level to 4 |<2>| p11: Initializing module: p11-kit-trust |<2>| p11: Initializing module: akis |<2>| p11: Initializing module: gnome-keyring |<3>| ASSERT: pkcs11.c:503 |<2>| Initializing PKCS #11 modules |<3>| ASSERT: pkcs11.c:1685 |<3>| ASSERT: pkcs11.c:1824 Error in pkcs11_export:257: The requested data were not available. BTW I am getting e-mail with subject is " Your message to p11-glue awaits moderator approval" from p11-glue. Do I remove the p11-glue from recipients or remain same? 2016-02-25 13:25 GMT+02:00 Mithat Bozkurt <mithatbozkurt at gmail.com>: > mithat at adige:~$ opensc-tool -l > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes ACS ACR38U-CCID 00 00 > > mithat at adige:~$ opensc-tool --atr > Using reader with a card: ACS ACR38U-CCID 00 00 > 3b:9f:96:81:31:fe:45:80:67:55:45:4b:41:45:12:92:31:80:73:b3:a1:80:6a > > mithat at adige:~$ opensc-tool --name > Using reader with a card: ACS ACR38U-CCID 00 00 > Unsupported card > > 2016-02-25 10:45 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>: >> On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote: >>> >>> I don't understand why I export cert to file. I think device should >>> block this action because this is my e-signature cert. >> >> No, the non-exportable part is the private key. The certificate is >> public, and declares that anyone who can prove that they have that >> private key, is whoever is identified as the subject of the >> certificate. >> >> If you go to secure web sites, you can inspect their *certificates* to >> check who they are. That's kind of the point. What you can't get is >> their matching private key. >> >> And later... >> >> On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote: >>> Do I need specify 'type=private' to say 'use my private cert for user >>> cert'? >> >> No, OpenConnect needs to use *both* the certificate and the >> corresponding private key. It will append ';type=cert' or >> ';type=private' to the URI you give it, as appropriate. Note that it >> still isn't *exporting* the private key; it's using it in-place. >> >> TBH if OpenSC is supposed to drive this card, I really think you're >> better off pursuing that approach rather than persisting with the >> broken proprietary PKCS#11 token. >> >> Can you try >> opensc-tool -l >> opensc-tool --atr >> opensc-tool --name >> >> as described in the 'Debugging OpenSC' link I gave you? >> >> -- >> dwmw2 >>
