...
To sign client's public keys there is the script
to simplify the procedure.'
generate_client_certificate.sh'
The scripts does have the following options:
- -g
- This takes a github user name as an argument and generates a certificate for each key stored in github.
- -f
- Instead of the github user name, one can provide a file that contains all the keys.
- -V
- Add the validity period of a certificate in number of days.
- Per default a certificate is valid for 7 days.
- Having 0 as a validity period means that the certificate is valid forever.
- -n
- This flag restricts the certificate to a list of pricipals principals that the client is allowd allowed to log in.
The output of '
generate_client_certificate.sh
is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '
'
$HOME/signed_keys'
.
Sign hosts's public keys
To sign host's public keys there is the script
to simplify the procedure.'
generate_host_certificate.sh'
The scripts does have the following options:
- -I
- This takes the HOST_ID of the server.
- -f
- The file that contains all the keys.
- -V
- Add the validity period of a certificate in number of days.
- Per default a certificate is valid for 7 days.
- Having 0 as a validity period means that the certificate is valid forever.
- -n
- This flag restricts the certificate to a list of pricipals that the host is known by.
The output of
is the certificate '
generate_hostthost_certificate.sh'
'
HOST_ID-cert.pub'
that needs to be copied to the host. It is stored in the home directory '
$HOME'
.
Prepare CA
Prepare Yubikey
...
To setup the yubikey the yubico-piv-tool
is used. It musted must be installed from source to work correctly. For the installation the following packages are needed:
...
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smartcardsmart-card, and do that through the X.509 certificate.
...