...
Info |
---|
2 - Prepare CA
...
Warning |
---|
This needs to be done on a offline machine! |
Step 1 - Activate CCID
Activate the USB interface CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
Activate the mode using:
Code Block | ||
---|---|---|
| ||
ykman mode CCID |
...
server
Step 1 - Install libraries that are later used
To setup the yubikey the yubico-piv-tool
is used. It must be installed from source to work correctly. For the installation the following packages are needed:
Code Block | ||
---|---|---|
| ||
apt-get install git cmake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man |
Step
...
2 - Install the tool
Code Block | ||
---|---|---|
| ||
git clone https://github.com/Yubico/yubico-piv-tool.git
cd yubico-piv-tool
mkdir build; cd build
cmake ..
make
sudo make install |
3 - Prepare Yubikey
Warning |
---|
This needs to be done on a offline machine! |
Step 1 - Activate CCID
Activate the USB interface CCID on the Yubikey. To install
...
the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
Activate the mode using:
Code Block | ||
---|---|---|
| ||
ykman mode CCID |
Step 2 - Change default pins and management key of yubikey
To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.
Code Block | ||
---|---|---|
| ||
yubico-piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678 |
Step
...
3- Generate RSA private keys for SSH Host CA
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.
Code Block | ||
---|---|---|
| ||
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" mkdir -p $PATH_TO_CERTIFICATE # generate key directly on yubikey and self-sign the certificate yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-days 10000 -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem # import self-signed certificate yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem # convert public key to RSA ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub # move public key to correct place and remove leftovers mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem |
3 - Prepare CA
Step 1 - Activate CCID
Activate the USB interface CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
Activate the mode using:
...
4 - Sign client's public keys
...