...
To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.
| Code Block | ||
|---|---|---|
| ||
YUBIKEYNUM=0 key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key > yubikey$YUBIKEYNUM.key pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6` echo $pin > yubikey$YUBIKEYNUM.pin puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` echo $puk > yubikey$YUBIKEYNUM.puk yubico-piv-tool -a set-mgm-key -n $key010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N $puk12345678 |
Generate RSA private keys for SSH Host CA
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.
| Code Block | ||
|---|---|---|
| ||
openssl genrsa -out yubikey$YUBIKEYNUM-key.pem 2048 openssl req -new -x509 -batch -key yubikey$YUBIKEYNUM-key.pem -out yubikey$YUBIKEYNUM-cert.pem YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE |
Import keys to yubikey
You import the key and certificate to the PIV applet as follows:
...