Description of problem: pkcs11-helper uses a custom format to specify objects in a token. However, in Fedora we use the standardized (RFC7512) PKCS #11 URLs to specify objects in tokens across applications [0], It seems that pkcs11-helper is one of the last PKCS #11 helper libraries which doesn't support these URLs, creating islands of applications which don't understand them. There is already a patch to upstream: https://github.com/OpenSC/pkcs11-helper/issues/5 [0]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
Actually I think I already fixed this as bug 1173554. I'm not sure we've got to the point where OpenVPN actually *works* yet though. OpenSC still craps itself on fork, p11-kit-proxy still deadlocks, and pkcs11-helper still violates POSIX by doing forbidden things from an atfork handler. *** This bug has been marked as a duplicate of bug 1173554 ***