`head -n -1` omits the -END CERTIFICATE- line `tail -n +2` omits the -BEGIN CERTIFICATE- line User-add-cert command expects only the base64 encoded blob: Import the certificate into Yubikey # yubico-piv-tool -key=$KEY -a import-certificate -i cert.pem -s 9a # certutil -d /tmp/nssdb/ -f pwfile -L -n ca -a -o ca.pem The CA certificate (will be needed later) can be exported to file: # certutil -d /tmp/nssdb/ -f pwfile -C -c ca -m $RANDOM -a -i req.pem -o cert.pem -keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment # echo -e "y\n\ny\n" | certutil -d /tmp/nssdb/ -f pwfile -S -x -n ca -t T, -m 1 -s "CN=Smart Card CA,O=EXAMPLE.ORG" -z noise -2 # base64 /dev/urandom | head -c 20 > pwfile But for testing it's OK to generate self-sign CA certificate and use it to sign the request. In production environment the CSR is sent to Security Administrator (or similar role) and he will provide the certificate. Generate Certificate Signing Request # yubico-piv-tool -a verify -a request -s 9a -P $PIN -S '/CN=test/O=EXAMPLE.ORG/' -i pub.pem -o req.pem # yubico-piv-tool -a change-puk -P 12345678 -N $PUKĬreate certificate Generate Private Key # yubico-piv-tool -key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem # yubico-piv-tool -a change-pin -P 123456 -N $PIN Set new Management Key, PIN and PUK # KEY=$(hexdump -v -e '/1 "%x"' /dev/urandom | head -c 48) Now we can reset it # yubico-piv-tool -a reset Trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00'.Īction 'status' does not need authentication.īlocking the yubikey is straighforward. Verify readers # opensc-tool -list-readersĠ Yes Yubico Yubikey 4 OTP+U2F+CCID 00 00 Start pcscd # systemctl start systemctl start pcscd
Prepare yubikey Install packages # dnf install -y ykpers yubico-piv-tool pcsc-lite opensc 4.6 Import CA certificates for Smart Cards.4.4 Enable authentication using certificates in SSSD.4.3 Start and enable PC Smart Card Daemon.
0 kommentar(er)
