read cert from smart card

David Woodhouse dwmw2 at
Wed Feb 24 13:00:48 UTC 2016

On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:
> I completely understand what you say now. I wil contact with TUBITAK
> on that why i  .
> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32


OK, so you have two certificates in your device, and it's given you the
*full* PKCS#11 URI for each of them. Note that you don't have to use
the full URI to specify it — you only need enough to be unique. Which
is why you could specify the token by only its serial number; you
didn't need to include the messy model/manufacturer/token fields too.

Likewise, it looks like you can specify your certificates/keys by only
their label (the object=xxx part), and don't need to specify the ID.

A simple PKCS#11 URI you can use with OpenConnect is either

(Because of the semicolon, make sure you put it in quotes on the
OpenConnect command line).

If you compare with your p11tool output, you'll note that each partial
URI above actually matches one than one object. When OpenConnect
automatically adds ';type=cert' it gets the X.509 certificate, and when
it adds 'type=private' it gets the corresponding private key.

To work out *which* of those two cert+key pairs you need, either just
try each one, or you can inspect the certs by running:

 p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text
 p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text

If you are running on Fedora, at this point it is considered a bug for
*any* application which accepts certs in filenames, not to accept the
above PKCS#11 URIs instead of a filename. Please file bugs if you find
any such applications, and Cc me.

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list