--- /opt/vyatta/share/perl5/Vyatta/OpenVPN/Config.pm.1	2016-04-24 15:46:03.327857667 +0200
+++ /opt/vyatta/share/perl5/Vyatta/OpenVPN/Config.pm	2016-04-24 16:04:34.805542602 +0200
@@ -30,6 +30,7 @@
     _tls_ca        => undef,
     _tls_cert      => undef,
     _tls_key       => undef,
+    _tls_pkcs11    => undef,
     _tls_dh        => undef,
     _tls_crl       => undef,
     _tls_role      => undef,
@@ -101,12 +102,14 @@
     $self->{_tls_ca} = $config->returnValue('tls ca-cert-file');
     $self->{_tls_cert} = $config->returnValue('tls cert-file');
     $self->{_tls_key} = $config->returnValue('tls key-file');
+    $self->{_tls_pkcs11_id} = $config->returnValue('tls pkcs11-id');
     $self->{_tls_dh} = $config->returnValue('tls dh-file');
     $self->{_tls_crl} = $config->returnValue('tls crl-file');
     $self->{_tls_role} = $config->returnValue('tls role');
     $self->{_tls_def} = (defined($self->{_tls_ca})
                       || defined($self->{_tls_cert})
                       || defined($self->{_tls_key})
+                      || defined($self->{_tls_pkcs11_id})
                       || defined($self->{_tls_crl})
                       || defined($self->{_tls_role})
                       || defined($self->{_tls_dh})) ? 1 : undef;
@@ -222,12 +225,14 @@
     $self->{_tls_ca} = $config->returnOrigValue('tls ca-cert-file');
     $self->{_tls_cert} = $config->returnOrigValue('tls cert-file');
     $self->{_tls_key} = $config->returnOrigValue('tls key-file');
+    $self->{_tls_pkcs11_id} = $config->returnOrigValue('tls pkcs11-id');
     $self->{_tls_dh} = $config->returnOrigValue('tls dh-file');
     $self->{_tls_crl} = $config->returnOrigValue('tls crl-file');
     $self->{_tls_role} = $config->returnOrigValue('tls role');
     $self->{_tls_def} = (defined($self->{_tls_ca})
                       || defined($self->{_tls_cert})
                       || defined($self->{_tls_key})
+                      || defined($self->{_tls_pkcs11_id})
                       || defined($self->{_tls_crl})
                       || defined($self->{_tls_role})
                       || defined($self->{_tls_dh})) ? 1 : undef;
@@ -376,6 +381,7 @@
     return 1 if ($this->{_tls_ca} ne $that->{_tls_ca});
     return 1 if ($this->{_tls_cert} ne $that->{_tls_cert});
     return 1 if ($this->{_tls_key} ne $that->{_tls_key});
+    return 1 if ($this->{_tls_pkcs11_id} ne $that->{_tls_pkcs11_id});
     return 1 if ($this->{_tls_dh} ne $that->{_tls_dh});
     return 1 if ($this->{_tls_crl} ne $that->{_tls_crl});
     return 1 if ($this->{_tls_role} ne $that->{_tls_role});
@@ -426,6 +432,7 @@
     return 1 if ($this->{_tls_ca} ne $that->{_tls_ca});
     return 1 if ($this->{_tls_cert} ne $that->{_tls_cert});
     return 1 if ($this->{_tls_key} ne $that->{_tls_key});
+    return 1 if ($this->{_tls_pkcs11_id} ne $that->{_tls_pkcs11_id});
     return 1 if ($this->{_tls_dh} ne $that->{_tls_dh});
     return 1 if ($this->{_tls_crl} ne $that->{_tls_crl});
     return 1 if ($this->{_tls_role} ne $that->{_tls_role});
@@ -706,19 +713,27 @@
             if ($hdrs != 0);
         $cmd .= " --ca $self->{_tls_ca}";
 
-        return (undef, 'Must specify "tls cert-file"')
-            if (!defined($self->{_tls_cert}));
-        $hdrs = checkHeader("-----BEGIN CERTIFICATE-----", $self->{_tls_cert});
-        return (undef, "Specified cert-file \"$self->{_tls_cert}\" is not valid")
-            if ($hdrs != 0);
-        $cmd .= " --cert $self->{_tls_cert}";
-
-        return (undef, 'Must specify "tls key-file"')
-            if (!defined($self->{_tls_key}));
-        $hdrs = checkHeader("-----BEGIN (?:RSA )?PRIVATE KEY-----", $self->{_tls_key});
-        return (undef, "Specified key-file \"$self->{_tls_key}\" is not valid")
-            if ($hdrs != 0);
-        $cmd .= " --key $self->{_tls_key}";
+        if (defined($self->{_tls_pkcs11_id})) {
+            return (undef, 'Must specify "tls pkcs11-id"')
+                if (!defined($self->{_tls_pkcs11_id}));
+            return (undef, "Specified pkcs11-id \"$self->{_tls_pkcs11_id}\" is not valid")
+                if (!defined($self->{_tls_pkcs11_id}));
+            $cmd .= " --pkcs11-id $self->{_tls_pkcs11_id}";
+        } else {
+            return (undef, 'Must specify "tls cert-file"')
+                if (!defined($self->{_tls_cert}));
+            $hdrs = checkHeader("-----BEGIN CERTIFICATE-----", $self->{_tls_cert});
+            return (undef, "Specified cert-file \"$self->{_tls_cert}\" is not valid")
+                if ($hdrs != 0);
+            $cmd .= " --cert $self->{_tls_cert}";
+
+            return (undef, 'Must specify "tls key-file"')
+                if (!defined($self->{_tls_key}));
+            $hdrs = checkHeader("-----BEGIN (?:RSA )?PRIVATE KEY-----", $self->{_tls_key});
+            return (undef, "Specified key-file \"$self->{_tls_key}\" is not valid")
+                if ($hdrs != 0);
+            $cmd .= " --key $self->{_tls_key}";
+        }
 
         if (defined($self->{_tls_crl})) {
             $hdrs = checkHeader("-----BEGIN X509 CRL-----", $self->{_tls_crl});