Versions Compared

Old Version 46

changes.mady.by.user Jovin Langenegger

Saved on

compared with

New Version 47

changes.mady.by.user Jovin Langenegger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"

mkdir -p $PATH_TO_CERTIFICATE

# generate key directly on yubikey and self-sign the certificate
yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem
yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-days 10000 -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem
# import self-signed certificate
yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem

# convert public key to RSA
ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub

# move public key to correct place and remove leftovers
mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE 
rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem

3 - Prepare CA

Step 1 - Activate CCID

Activate the USB interface CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.

Activate the mode using:

Step 2- Generate RSA private keys for SSH Host CA

4 - Sign client's public keys

...