Hello, I'm new to the list and have looked back at 6 or so months of archives for threads looking like they deal with smart cards and not discovered what I'm looking for. Please forgive me if this is answered and I missed it, I'll happily take the link! I'm working to enable linux clients - who use pam_pkcs11, esc, coolkey, etc. to log into their workstations with smart cards to be able to connect to a smart card enabled Cisco VPN. We're using SCR3310 readers (mostly) already have the browsers using libcoolkey to access smartcard enabled intranet sites like Outlook Web Access on these clients. The smart cards are generated completely internally, so when I use p11tool there is no manufacturer or model, there is only URL, Label and Type fields populated. The certificates are all signed by an internal authority. Here's a small part of the token list: $ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Token 1: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust Label: Default Trust Type: Trust module Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Token 2: URL: pkcs11:model=;manufacturer=;serial=;token=<my token name> Label: <my token name> Type: Hardware token Manufacturer: Model: Serial: The rest of the tokens are from Gnome Keyring Here's what I've tried: $ openconnect -c 'pkcs11:model=;manufacturer=;serial=;token=<my token name>' vpn.example.com POST https://vpn.example.com/ Attempting to connect to server 192.168.1.251:443 PIN required for <my token name> Enter PIN: <XXXXXX> Error loading certificate from PKCS#11: The requested data were not available Loading certificate failed. Aborting. I have also tried the same command with --cafile=/etc/pki/nssdb/cert8.db set since the client system as a whole already has the CAs integrated into the nssdb. Both method produce the same result. It does not appear that the card reader is being accessed at all after entering the PIN. I have to be careful here because too many PIN failures with lock the card itself. Unfortunately, my organization is large we have several active root ca's and about 35 active intermediates, so I will have to have many certs in this file if NSSdb can't be used. Questions: 1. Does this look like a CA Trust Failure? 2. What format should the cafile be in? 3. Can we have multiple Roots and Intermediates in the file? Thank you kindly for listening!
