On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote: > I completely understand what you say now. I wil contact with TUBITAK > on that why i . > > mithat@adige:/etc/pkcs11/modules$ p11tool --list-all --login > pkcs11:serial=0036218D34081A32
... OK, so you have two certificates in your device, and it's given you the *full* PKCS#11 URI for each of them. Note that you don't have to use the full URI to specify it — you only need enough to be unique. Which is why you could specify the token by only its serial number; you didn't need to include the messy model/manufacturer/token fields too. Likewise, it looks like you can specify your certificates/keys by only their label (the object=xxx part), and don't need to specify the ID. A simple PKCS#11 URI you can use with OpenConnect is either pkcs11:serial=0036218D34081A32;object=62917107586SIGN0 or pkcs11:serial=0036218D34081A32;object=62917107586NES0 (Because of the semicolon, make sure you put it in quotes on the OpenConnect command line). If you compare with your p11tool output, you'll note that each partial URI above actually matches one than one object. When OpenConnect automatically adds ';type=cert' it gets the X.509 certificate, and when it adds 'type=private' it gets the corresponding private key. To work out *which* of those two cert+key pairs you need, either just try each one, or you can inspect the certs by running: p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text or p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text If you are running on Fedora, at this point it is considered a bug for *any* application which accepts certs in filenames, not to accept the above PKCS#11 URIs instead of a filename. Please file bugs if you find any such applications, and Cc me. -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
