...

2 Sign client's public keys

To sign client's public keys there is the script 'generate_client_certificate.sh' to simplify the procedure.
The scripts does have the following options:

...

The output of 'generate_client_certificate.sh' is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory '$HOME/signed_keys'.

...

3 Sign hosts's public keys

To sign host's public keys there is the script 'generate_host_certificate.sh' to simplify the procedure.
The scripts does have the following options:

...

The output of 'generate_host_certificate.sh' is the certificate 'HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.

...

4 Prepare Yubikey

...

YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"

# generate key directly on yubikey and self-sign the certificate
yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem
yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem
# import self-signed certificate
yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem

# convert public key to RSA
ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub

# move public key to correct place and remove leftovers
mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE 
rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem

...

5 Sign server's RSA key

PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I server_name \
            -h \
            -n server.netdef.org \
            -V +52w \
            /etc/ssh-ca/ssh_host_rsa_key.pub

...

• -D
  • is used to access the yubikey
• -s
  • provides the public certificate to access the yubikey
• -I server_name
  • The key identifier to include in the certificate.
• -h
  • Generate a host certificate (instead of a user certificate)
• -n server.netdef.org
  • The principal names to include in the certificate.
  • For host certificates this is a list of all names that the system is known by.
  • Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
• -V +52w
  • The validity period.
  • For host certificates, you’ll probably want them pretty long lived.
  • This setting sets the validity period from now until 52 weeks hence.
• /etc/ssh-ca/ssh_host_rsa_key.pub
  • The path to the host RSA public key to sign.
  • Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.

...

6 Sign client's RSA key

PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I client_name \
            -n root \
            -V +24h \
            /etc/ssh_ca/id_rsa.pub

...

• -D
  • is used to access the yubikey
• -s
  • provides the public certificate to access the yubikey
• -I client_name
  • The key identifier to include in the certificate.
• -n root
  • The principal names to include in the certificate.
  • For client certificates this is a list of all users that the system is allowed to log in.
• -V +24h
  • The validity period.
  • For client certificates, you’ll probably want them short lived.
  • This setting sets the validity period from now until 24 hours.
  • One an SSH session is authenticated the certificate can safely expire without impacting the established session.
• /etc/ssh_ca/id_rsa.pub
  • The name of the host RSA public key to sign.
  • Our signed host key (certificate) will be /etc/ssh_ca/ssh_host_rsa_key-cert.pub.

...

7 Troubleshooting

Export public key

PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"
ssh-keygen -D PATH_TO_YKCS11 -e

...