Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-RT-Original-Encoding: us-ascii Content-Length: 856 Hi, If the ID of a certificate on a Smartcard starts with a zero (0x00) it cannot be selected with the certid option because the PKINIT plugin converts the input internally into an OpenSSL BIGNUM and the leading 0x00 is lost. According to http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959712 CKA_ID is a byte array which is an 'an arbitrary string (array) of CK_BYTEs' which is defined as 'unsigned char' without any restrictions. If I understand it correctly this allows a leading 0x00 in CKA_ID. Please find attached a patch which replaces the BIGNUM based solution with a byte-by-byte parsing of the cert_id_str. The second patch contains some tests for the new function I added. For simplicity I added them to pkinit_kdf_test, please let me know if you prefer to have an extra binary for this. bye, Sumit