Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

This needs to be done on a offline machine!

Step 1 - activate CCID

Activate the USB interface mdoe CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.

Activate the mode using:

Code Block
languagebash
ykman mode CCID


Step 2 - Install libraries that are later used

To setup the yubikey the yubico-piv-tool is used. It must be installed from source to work correctly. For the installation the following packages are needed:

Code Block
languagebash
apt-get install autoconf automake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man

Step

...

3 - Install the tool

Code Block
languagebash
git clone https://github.com/Yubico/yubico-piv-tool.git

cd yubico-piv-tool

mkdir build; cd build
cmake ..
make
sudo make install

Step

...

4 - Change default pins and management key of yubikey

To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.

Code Block
languagebash
yubico-piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708
yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456
yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678

Step

...

5 - Generate RSA private keys for SSH Host CA

Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.

...