...
Info |
---|
2 - Prepare
...
Warning |
---|
This needs to be done on a offline machine! |
Step 1 - Activate CCID
Activate the USB interface CCID on the Yubikey. To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
Activate the mode using:
Code Block | ||
---|---|---|
| ||
ykman mode CCID |
...
CA server
Step 1 - Install libraries that are later used
To setup the yubikey the yubico-piv-tool
is used. It must be installed from source to work correctly. For the installation the following packages are needed:
Code Block | ||
---|---|---|
| ||
apt-get install git cmake build-essential libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man |
Step
...
2 - Install the yubico-piv-tool
Code Block | ||
---|---|---|
| ||
git clone https://github.com/Yubico/yubico-piv-tool.git cd yubico-piv-tool mkdir build; cd build cmake .. make sudo make install |
Step
...
3 - Install the yubikey-manager
To install the Yubikey manager check https://developers.yubico.com/yubikey-manager/.
3 - Prepare Yubikey
Warning |
---|
This needs to be done on a offline machine! |
Step 1 - Activate CCID
Activate the USB interface CCID on the Yubikey. Activate the mode using:
Code Block | ||
---|---|---|
| ||
ykman mode CCID |
Step 2 - Change default pins and management key of yubikey
To prepare the PIV applet in the YubiKey the management key, the pin and the punk needs to be set.
Code Block | ||
---|---|---|
| ||
yubico-piv-tool -a set-mgm-key -n 010203040506070801020304050607080102030405060708 yubico-piv-tool -k $key -a change-pin -P 123456 -N 123456 yubico-piv-tool -k $key -a change-puk -P 12345678 -N 12345678 |
Step
...
3- Generate RSA private keys for SSH Host CA
Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy. They want to be able to extract the public-key from the smart-card, and do that through the X.509 certificate.
Code Block | ||
---|---|---|
| ||
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" mkdir -p $PATH_TO_CERTIFICATE # generate key directly on yubikey and self-sign the certificate yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-days 10000 -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem # import self-signed certificate yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem # convert public key to RSA ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub # move public key to correct place and remove leftovers mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem |
...
4 - Sign client's public keys
To sign client's public keys there is the script
to simplify the procedure.'
generate_client_certificate.sh'
The scripts does have the following options:
...
The output of '
generate_client_certificate.sh
is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '
'
$HOME/signed_keys'
.
...
5 - Troubleshooting
Export public key
Code Block | ||
---|---|---|
| ||
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D PATH_TO_YKCS11 -e |
...