...
Code Block |
---|
apt-get install autoconf automake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man # if not already installed apt-get install git build-essential |
Install the tool:
Code Block |
---|
git clone https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool autoreconf --install ./configure --disable-dependency-tracking make make install |
...
Code Block |
---|
PATH_TO_CERTIFICATE="/etc/ssh-ca" PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" mkdir -p $PATH_TO_CERTIFICATE ssh-keygen -D $PATH_TO_YKCS11 -e > $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub |
Sign server's RSA key
Code Block |
---|
PATH_TO_CERTIFICATE="/etc/ssh-ca" PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I server_name \ -h \ -n server.netdef.org \ -V +52w \ /etc/ssh-ca/ssh_host_rsa_key.pub |
...
- -D
- is used to access the yubikey
- -s
- provides the public certificate to access the yubikey
- -I server_name
- The key identifier to include in the certificate.
- -h
- Generate a host certificate (instead of a user certificate)
- -n server.netdef.org
- The principal names to include in the certificate.
- For host certificates this is a list of all names that the system is known by.
- Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
- -V +52w
- The validity period.
- For host certificates, you’ll probably want them pretty long lived.
- This setting sets the validity period from now until 52 weeks hence.
- /etc/ssh-ca/ssh_host_rsa_key.pub
- The path to the host RSA public key to sign.
- Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.
Sign client's RSA key
Code Block |
---|
PATH_TO_CERTIFICATE="/etc/ssh-ca" PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D $PATH_TO_YKCS11 -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub -I client_name \ -n root \ -V +24h \ /etc/ssh_ca/id_rsa.pub |
...