How can I view certificate details on a smart card

Question

I am using p11tool on CentOS to read a PIV smart card. The card is being read via the coolkey package driver (using libcoolkeypk11.so, per p11-kit list-modules)

I can get a listing of the certs on there using

p11tool --list-all-certs 'pkcs11:model=;manufacturer=;serial=;token=CoolKey'

The list of certs only includes the URL, Type, Label, and ID. Using the GUI Smart Card Manager from the RedHat Enterprise Security Client (esc package, which requires coolkey (not opensc)), I can drill down to view certificate details, like the cert's serial number and fingerprints.

I tried p11tool --info <certurl> hoping that would provide the details, but that still only lists the four fields seen with --list-all-certs.

UPDATE: I also tried openssl x509 -engine pkcs11 -keyform engine -text -in <certurl> but that failed, with the message

140067620280208:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('<certurl>','r')

How can I view those details using p11tool and/or other command line tools?

Answer 1

Using the --export flag was the key (Thanks for the tip, @Johan Myréen). Thus, to see the cert's details and fingerprints, this works:

p11tool --export <certurl> | openssl x509 -text -noout

p11tool --export <certurl> | openssl x509 -fingerprint -noout #defaults to SHA1 fingerprint

p11tool --export <certurl> | openssl x509 -fingerprint -noout -md5 #for MD5 fingerprint