Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The output of 'generate_host_certificate.sh' is the certificate 'HOST_ID-cert.pub' that needs to be copied to the host. It is stored in the home directory '$HOME/signed_keys'.

5 - Sign server's RSA key manually

Code Block
languagebash
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I server_name \
            -h \
            -n server.netdef.org \
            -V +52w \
            /etc/ssh-ca/ssh_host_rsa_key.pub

...

  • -D
    • is used to access the yubikey
  • -s
    • provides the public certificate to access the yubikey
  • -I server_name
    • The key identifier to include in the certificate.
  • -h
    • Generate a host certificate (instead of a user certificate)
  • -n server.netdef.org
    • The principal names to include in the certificate.
    • For host certificates this is a list of all names that the system is known by.
    • Note: Use the unqualified names carefully here in organizations where hostnames are not unique (ca.netdef.org vs. ca.dev.netdef.org)
  • -V +52w
    • The validity period.
    • For host certificates, you’ll probably want them pretty long lived.
    • This setting sets the validity period from now until 52 weeks hence.
  • /etc/ssh-ca/ssh_host_rsa_key.pub
    • The path to the host RSA public key to sign.
    • Our signed host key certificate will be /etc/ssh-ca/ssh_host_rsa_key-cert.pub.

6 - Sign client's RSA key manually

Code Block
languagebash
YUBIKEYNUM=0
PATH_TO_CERTIFICATE="/etc/ssh-ca"
PATH_TO_YKCS11="/usr/local/lib/libykcs11.so"

ssh-keygen  -D $PATH_TO_YKCS11
            -s $PATH_TO_CERTIFICATE/yubikey$YUBIKEYNUM.pub
            -I client_name \
            -n root \
            -V +24h \
            /etc/ssh_ca/id_rsa.pub

...