diff --git a/vpn/openconnect/nm-openconnect-service.h b/vpn/openconnect/nm-openconnect-service.h
--- a/vpn/openconnect/nm-openconnect-service.h
+++ b/vpn/openconnect/nm-openconnect-service.h
@@ -36,6 +36,7 @@
 #define NM_OPENCONNECT_KEY_USERCERT "usercert"
 #define NM_OPENCONNECT_KEY_CACERT "cacert"
 #define NM_OPENCONNECT_KEY_PRIVKEY "userkey"
+#define NM_OPENCONNECT_KEY_PIN "pin"
 #define NM_OPENCONNECT_KEY_MTU "mtu"
 #define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID "pem_passphrase_fsid"
 #define NM_OPENCONNECT_KEY_PROTOCOL "protocol"
diff --git a/vpn/openconnect/openconnectauth.cpp b/vpn/openconnect/openconnectauth.cpp
--- a/vpn/openconnect/openconnectauth.cpp
+++ b/vpn/openconnect/openconnectauth.cpp
@@ -83,6 +83,8 @@
     int cancelPipes[2];
     QList<QPair<QString, int> > serverLog;
     int passwordFormIndex;
+    bool isPinProvided;
+    bool isPrivKeyPkcs11;
 
     enum LogLevels {Error = 0, Info, Debug, Trace};
 };
@@ -97,6 +99,8 @@
     d->ui.setupUi(this);
     d->userQuit = false;
     d->formGroupChanged = false;
+    d->isPrivKeyPkcs11 = false;
+    d->isPinProvided = false;
 
     if (pipe2(d->cancelPipes, O_NONBLOCK|O_CLOEXEC)) {
         // Should never happen. Just don't do real cancellation if it does
@@ -155,6 +159,15 @@
 
     const NMStringMap dataMap = d->setting->data();
 
+    if (!dataMap[NM_OPENCONNECT_KEY_PIN].isEmpty()) {
+         d->isPinProvided = true;
+    }
+    if (!dataMap[NM_OPENCONNECT_KEY_PRIVKEY].isEmpty()) {
+        QString pk = dataMap[NM_OPENCONNECT_KEY_PRIVKEY];
+        if (pk.startsWith("pkcs11:")) {
+            d->isPrivKeyPkcs11 = true;
+        }
+    }
     if (!dataMap[NM_OPENCONNECT_KEY_GATEWAY].isEmpty()) {
         const QString gw = dataMap[NM_OPENCONNECT_KEY_GATEWAY];
         VPNHost host;
@@ -186,7 +199,13 @@
     }
     if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) {
         const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]);
-        const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]);
+        QString rawkey = dataMap[NM_OPENCONNECT_KEY_PRIVKEY];
+        if (d->isPinProvided && d->isPrivKeyPkcs11) {
+            QString pin = dataMap[NM_OPENCONNECT_KEY_PIN];
+            rawkey = QString("%1;pin-value=%2").arg(rawkey).arg(pin);
+        }
+        const QByteArray key = QFile::encodeName(rawkey);
+
         openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data()));
 
         if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") {
@@ -375,6 +394,10 @@
         pair.second = OpenconnectAuthWidgetPrivate::Trace;
         break;
     }
+    if (pair.second >= OpenconnectAuthWidgetPrivate::Debug && d->isPinProvided && d->isPrivKeyPkcs11) {
+        // mask pin in log
+        pair.first = pair.first.replace(QRegExp("pin-value=[0-9]+"),"pin-value=XXXXXXXX");
+    }
     if (pair.second <= d->ui.cmbLogLevel->currentIndex()) {
         d->ui.serverLog->append(pair.first);
     }