SparkLabs Forum.

Community Help.


Viscosity 1.7.3 - Unable to connect using PKCS#11smartcard

This is in my viscosity log:

Code: Select all

2017-08-15 14:40:20: State changed to Disconnecting
2017-08-15 14:40:20: PKCS#11: Cannot get certificate object
2017-08-15 14:40:20: PKCS#11: Cannot get certificate object
2017-08-15 14:40:20: PKCS#11: Unable get evp object
2017-08-15 14:40:20: Cannot load certificate “piv_II/PKCS\x2315\x20emulated/11ae9ca882ee83de/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/01” using PKCS#11 interface
2017-08-15 14:40:20: SIGHUP[hard,close_context usr1 to hup] received, process restarting


I can access the smartcard if I do it manually.

Code: Select all

$ openvpn --show-pkcs11-ids /usr/local/lib/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=Trevor Bernard
       ...


I always get the "Please enter your PKCS#11 token or smartcard to use for authentication... I can never get past that dialog.

Best,
Trevor
Hi Trevor,

Listing the available certificates on a device is a good way of testing whether the PKCS#11 driver is being loaded, however it does not tested actually retrieving the certificate from the device or using it for signing.

Judging by the error message I would guess either the serial-id does not match a certificate on the device, or the certificate is stored in a manner that can't be used by OpenVPN/OpenSC (e.g. if it has an unsupported key size, unsupported character in a certificate field, etc.). If you have entered the serial-id manually please be aware that certain characters have to be escaped.

I would suggest trying the following options:

1. Under the Authentication tab when editing your connection in Viscosity try selecting the "Prompt for certificate name" option and click Save. Try and connect your connection and see if Viscosity correctly prompts you for the correct PKCS#11 certificate to use.

2. If that fails, try selecting the "Use certificate name below" option instead and click the "Detect" button. Save the entered serial ID and try and connect.

3. I'd also recommend using the direct path to the OpenSC PKCS#11 driver, which is "/Library/OpenSC/lib/opensc-pkcs11.so", as this avoids the potential for any soft-link issues.

Cheers,
James
2 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy