We ship p11-kit which gives PKCS#11 modules such as OpenSC a a simple way to register themselves with the system and be automatically visible to applications. With well-behaved applications, the device (and objects therein) will Just Work™. It's as simple as installing the OpenSC (or whatever) package, and plugging the device in. And then they appear in the seahorse GUI, can be queried with p11tool, can be used with applications like the OpenConnect VPN client by using standard PKCS#11 URIs. Well-behaved applications should: - Use the p11-kit-configured set of modules instead of having to be explicitly told which provider module to use (defaulting to p11-kit-proxy.so as the provider is a simple way to fix this). - Use standard PKCS#11 URIs as described in https://tools.ietf.org/html/draft-pechanec-pkcs11uri-16 instead of their own non-standard form (engine_pkcs11, pkcs11_helper thus OpenVPN). - Allow the use of PKCS#11 objects in all cases that a file can be used for a certificate and/or key.
PKCS #11 URLs is now a standard's track RFC: http://www.rfc-editor.org/rfc/rfc7512.txt
Closing tracker as everything tracked is complete.