...
| Info |
|---|
2 - Prepare
...
CA
| Warning |
|---|
This needs to be done on a offline machine! |
...
| Code Block | ||
|---|---|---|
| ||
YUBIKEYNUM=0 PATH_TO_CERTIFICATE="/etc/ssh-ca" mkdir -p $PATH_TO_CERTIFICATE # generate key directly on yubikey and self-sign the certificate yubico-piv-tool -k 123456 -s 9c -a generate -o yubikey$YUBIKEYNUM.pem yubico-piv-tool -k 123456 -a verify-pin -a selfsign-certificate --valid-days 10000 -s 9c -S "/CN=yubikey`$YUBIKEYNUM`/" -i yubikey$YUBIKEYNUM.pem -o yubikey$YUBIKEYNUM-cert.pem # import self-signed certificate yubico-piv-tool -k 123456 -a import-certificate -s 9c -i yubikey$YUBIKEYNUM-cert.pem # convert public key to RSA ssh-keygen -f yubikey$YUBIKEYNUM.pem -i -mPKCS8 > yubikey$YUBIKEYNUM.pub # move public key to correct place and remove leftovers mv yubikey$YUBIKEYNUM.pub $PATH_TO_CERTIFICATE rm yubikey$YUBIKEYNUM-cert.pem yubikey$YUBIKEYNUM.pem |
...
4 - Sign client's public keys
To sign client's public keys there is the script 'generate_client_certificate.sh'
The scripts does have the following options:
...
The output of 'generate_client_certificate.sh is a .tar archive that contains the certificate, the public key that is used to authenticate servers as well as an instruction to install the certificate on the client's machine. It is stored in the home directory ''$HOME/signed_keys'.
...
5 - Troubleshooting
Export public key
| Code Block | ||
|---|---|---|
| ||
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so" ssh-keygen -D PATH_TO_YKCS11 -e |
...