...
Prepare CA
Prepare Yubikey
...
Install libraries that are later used
To setup the yubikey the yubico-piv-tool is used. It musted be installed from source to work correctly. For the installation the following packages are needed:
...
| Code Block | ||
|---|---|---|
| ||
git clone https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool autoreconf --install ./configure --disable-dependency-tracking make make install |
...
Change default pins and management key of yubikey
Then prepare the PIV applet in the YubiKey NEO.
| Code Block | ||
|---|---|---|
| ||
YUBIKEYNUM=0 key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key > yubikey$YUBIKEYNUM.key pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6` echo $pin > yubikey$YUBIKEYNUM.pin puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` echo $puk > yubikey$YUBIKEYNUM.puk yubico-piv-tool -a set-mgm-key -n $key yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin yubico-piv-tool -k $key -a change-puk -P 12345678 -N $puk |
...
Generate RSA private keys for SSH Host CA
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smartcard, and do that through the X.509 certificate.
| Code Block | ||
|---|---|---|
| ||
openssl genrsa -out yubikey$YUBIKEYNUM-key.pem 2048 openssl req -new -x509 -batch -key yubikey$YUBIKEYNUM-key.pem -out yubikey$YUBIKEYNUM-cert.pem |
...
Import keys to yubikey
You import the key and certificate to the PIV applet as follows:
| Code Block | ||
|---|---|---|
| ||
yubico-piv-tool -k $key -a import-key -s 9c < yubikey$YUBIKEYNUM-key.pem yubico-piv-tool -k $key -a import-certificate -s 9c < yubikey$YUBIKEYNUM-cert.pem |
...
Extract public key
Extract the public key for the CA:
...