read cert from smart card

David Woodhouse dwmw2 at
Thu Feb 25 08:45:11 UTC 2016

On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote:
> I don't understand why I export cert to file. I think device should
> block this action because this is my e-signature cert.

No, the non-exportable part is the private key. The certificate is
public, and declares that anyone who can prove that they have that
private key, is whoever is identified as the subject of the

If you go to secure web sites, you can inspect their *certificates* to
check who they are. That's kind of the point. What you can't get is
their matching private key.

And later...

On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote:
> Do I need specify 'type=private' to say 'use my private cert for user
> cert'?

No, OpenConnect needs to use *both* the certificate and the
corresponding private key. It will append ';type=cert' or
';type=private' to the URI you give it, as appropriate. Note that it
still isn't *exporting* the private key; it's using it in-place.

TBH if OpenSC is supposed to drive this card, I really think you're
better off pursuing that approach rather than persisting with the
broken proprietary PKCS#11 token.

Can you try
 opensc-tool -l
 opensc-tool --atr
 opensc-tool --name

as described in the 'Debugging OpenSC' link I gave you?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list