...
| Code Block |
|---|
|
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem
yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem
yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem
ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub
mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE |
Import keys to yubikey
You import the key and certificate to the PIV applet as follows:
| Code Block |
|---|
|
yubico-piv-tool -k $key -a import-key -s 9c < yubikey$YUBIKEYNUM-key.pem
yubico-piv-tool -k $key -a import-certificate -s 9c < yubikey$YUBIKEYNUM-cert.pem |
Extract the public key for the CA:
| Code Block |
|---|
|
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
mkdir -p $PATH_TO_CERTIFICATE
ssh-keygen -D $PATH_TO_YKCS11 -e > $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub |
Sign server's RSA key
| Code Block |
|---|
|
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D $PATH_TO_YKCS11
-s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
-I server_name \
-h \
-n server.netdef.org \
-V +52w \
/etc/ssh-ca/ssh_host_rsa_key.pub |
...
