doc update

1 files changed, 32 insertions, 1 deletions

diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi
index 6abb5254c8..dcf277be6c 100644
--- a/doc/invoke-gnutls-cli.texi
+++ b/doc/invoke-gnutls-cli.texi
@@ -6,7 +6,7 @@
 #
 # DO NOT EDIT THIS FILE   (invoke-gnutls-cli.texi)
 #
-# It has been AutoGen-ed  November  9, 2013 at 01:12:16 PM by AutoGen 5.18
+# It has been AutoGen-ed  November 10, 2013 at 11:23:08 AM by AutoGen 5.18
 # From the definitions    ../src/cli-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -289,3 +289,34 @@ Compression: COMP-NULL
 Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
 @end example
+
+@subheading Connecting using a PKCS #11 token
+To connect to a server using a certificate and a private key present in a PKCS #11 token you 
+need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
+
+Those can be found using "p11tool --list-tokens" and then listing all the objects in the
+needed token, and using the appropriate.
+@example
+$ p11tool --list-tokens
+
+Token 0:
+URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
+Label: Test
+Manufacturer: EnterSafe
+Model: PKCS15
+Serial: 1234
+
+$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
+
+Object 0:
+URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert
+Type: X.509 Certificate
+Label: client
+ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
+
+$ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert"
+$ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private"
+
+$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
+@end example
+Notice that the private key only differs from the certificate in the object-type.