Versions Compared

Old Version 35

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 36

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

https://github.com/jlangenegger/ssh_certificate/

2 -

...

To sign client's public keys there is the script 'generate_client_certificate.sh' to simplify the procedure.
The scripts does have the following options:

  • -g
    • This takes a github user name as an argument and generates a certificate for each key stored in github.
  • -f
    • Instead of the github user name, one can provide a file that contains all the keys.
    • Nevertheless the flag '-g' is needed as the certificate holder's name.
  • -V
    • Add the validity interval of a certificate
    • Per default a certificate is valid for seven days.
    • More information can be found here: validity_interval
  • -n
    • This flag restricts the certificate to a list of principals that the client is allowed to log in.

The output of 'generate_client_certificate.sh' is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '$HOME/signed_keys'.

3 - Sign hosts's public keys

To sign host's public keys there is the script 'generate_host_certificate.sh' to simplify the procedure.
The scripts does have the following options:

  • -I
    • This takes the HOST_ID of the server.
    • e.g host.netdef.org
  • -f
    • The file that contains all the keys.
  • -V
    • Add the validity interval of a certificate
    • Per default a certificate is valid for one year.
    • More information can be found here: validity_interval
  • -n
    • This flag restricts the certificate to a list of principals that the host is known by.

The output of 'generate_host_certificate.sh' is the certificate 'HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.

...

Prepare Yubikey

Warning

This needs to be done on a offline machine!

...

Code Block
languagebash
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"

# generate key directly on yubikey and self-sign the certificate
yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem
yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-days 10000 -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem
# import self-signed certificate
yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem

# convert public key to RSA
ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub

# move public key to correct place and remove leftovers
mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE 
rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem

3 - Sign client's public keys

To sign client's public keys there is the script 'generate_client_certificate.sh' to simplify the procedure.
The scripts does have the following options:

  • -g
    • This takes a github user name as an argument and generates a certificate for each key stored in github.
  • -f
    • Instead of the github user name, one can provide a file that contains all the keys.
    • Nevertheless the flag '-g' is needed as the certificate holder's name.
  • -V
    • Add the validity interval of a certificate
    • Per default a certificate is valid for seven days.
    • More information can be found here: validity_interval
  • -n
    • This flag restricts the certificate to a list of principals that the client is allowed to log in.

The output of 'generate_client_certificate.sh' is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '$HOME/signed_keys'.

4 - Sign hosts's public keys

To sign host's public keys there is the script 'generate_host_certificate.sh' to simplify the procedure.
The scripts does have the following options:

  • -I
    • This takes the HOST_ID of the server.
    • e.g host.netdef.org
  • -f
    • The file that contains all the keys.
  • -V
    • Add the validity interval of a certificate
    • Per default a certificate is valid for one year.
    • More information can be found here: validity_interval
  • -n
    • This flag restricts the certificate to a list of principals that the host is known by.

The output of 'generate_host_certificate.sh' is the certificate 'HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.

5 - Sign server's RSA key

...