Description of problem:
The command line openconnect client permits using a hardware pkcs11 token.
It would be nice the GUI for NetworkManager permitted setting this as well.
My example use is with a Yubikey.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Try to configure NetworkManager-openconnect to use a hardware pkcs11 tokent
No way to set usage of a hardware token
Able to set hardware token.
openconnect -c 'pkcs11:manufacturer=piv_II' myvpn.example.com
NetworkManager-openconnect already works fine, if a PKCS#11 URI is given as the certificate/key. But last time I looked, you needed to set that manually by editing the config file — even nmcli didn't work right for using PKCS#11 URIs as keys, as it wrongly filtered for *filenames*.
Assigning to NetworkManager. Not sure of the current status but here are some older upstream bugs which are/were relevant, and I think nmcli has at least been fixed for 802.1x if not for all connection types:
It does seem to work with nmcli now, although it's slightly non-trivial as it's part of the 'vpn.data' field. You can see the current settings with 'nmcli con show MyVpn' then add the usercert field:
nmcli con modify MyVpn vpn.data 'usercert = pkcs11:manufacturer=piv_II;id=%01, authtype = cert, gateway = xxxx:xxxx:xxxx:xxxx::1, protocol = pulse, cookie-flags = 2, certsigs-flags = 0, xmlconfig-flags = 0, stoken_source = disabled, prevent_invalid_cert = no, autoconnect-flags = 0, gateway-flags = 2, gwcert-flags = 2, pem_passphrase_fsid = no, enable_csd_trojan = no, lasthost-flags = 0'