Le 7 avril 2011 10:18, Jean-Michel Pouré - GOOZE <jmpo...@gooze.eu> a écrit : > Le jeudi 07 avril 2011 à 10:04 +0200, Ludovic Rousseau a écrit : >> According to >> http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html#id298646 >> you must use make_hash_link.sh (now renamed in pkcs11_make_hash_link) > > Thanks, I was using c_rehash. This is probably the same, no? > >> > I think I understand. Only local CA certs can >> > be used for checking certificates. CAs like CAcert.org cannot be >> used. >> >> Could you explain why? > > I really don't know why. This is what I read here: From > http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html#configfile > > **************** > > NOTE: Due to OpenSSL library limitations, CA entries must reside in the > local file system, and cannot be accessed from a remote server. So > although user auth can be done in a remote way, certificate validation > must be done locally. > > *****************
The text was not clear. CA is in fact the CA root certificate. I tried to fix that in revision 493. > CA entries means 'hash files', right? hash file and the certificate pointed by the hash file. > All this is not very clear. The problem is not if the CA (certification authority) is online or not. The "problem" is that the CA root certificate must be on the local file system. pam_pkcs11 do not reuse CAs root certificates from Firefox or from anywhere else. Maybe that could be an evolution. I also note that the CAcert root CA is using PEM format and my root CA is in DER. Convert class3.crt from PEM to DER and try again. Bye -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
