...
Warning |
---|
This needs to be done on a offline machine! |
Step 1 - activate CCID
Activate the USB interface mdoe CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
Activate the mode using:
Code Block | ||
---|---|---|
| ||
ykman mode CCID |
Step 2 - Install libraries that are later used
To setup the yubikey the yubico-piv-tool
is used. It must be installed from source to work correctly. For the installation the following packages are needed:
Code Block | ||
---|---|---|
| ||
apt-get install autoconf automake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man |
Step
...
3 - Install the tool
Code Block | ||
---|---|---|
| ||
git clone https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool mkdir build; cd build cmake .. make sudo make install |
Step
...
4 - Change default pins and management key of yubikey
To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.
Code Block | ||
---|---|---|
| ||
yubico-piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678 |
Step
...
5 - Generate RSA private keys for SSH Host CA
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.
...