> You can't tell me that (Aladdin/Safenet) eTokens are exotic... It's not about the token itself, but how the keys and certificates are deployed on it.
> What might make the difference is, that the certificates are written > with Windows CAPI and not using pkcs#11, but this is also not very > exotic. That's probably the problem. If you generate keys with PKCS#11 on the token, you always get a keypair. This might be different with CAPI, or at least with your software. > If you give me a few hints where to start I might be able to provide a > patch. I'll have a look at it next week, shouldn't be too hard to implement this fallback. > I have two certificates with the same subject (different usage (sign, > encrypt). So is there a way to tell strongswan which certificate to use > (I can't change the smartcard)? No, currently not. > And why is the private key found during "ipsec secrets", but not when I > start the connection: The loaded private key is later looked up using the computed fingerprint. Either the pkcs11 backend can't fingerprint the associated public key, or the fingerprints don't match. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
