Typo.
This commit is contained in:
@@ -80,9 +80,7 @@ counter as follows:
|
|||||||
permitted;IP.0=0.0.0.0/255.255.255.255
|
permitted;IP.0=0.0.0.0/255.255.255.255
|
||||||
permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
openssl req -new -sha256 -x509 -set_serial 1 -days 1 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem
|
openssl req -new -sha256 -x509 -set_serial 1 -days 1 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem
|
||||||
|
|
||||||
echo 01 > yubico-internal-https-ca-crt.srl
|
echo 01 > yubico-internal-https-ca-crt.srl
|
||||||
|
|
||||||
You may inspect the newly generated root CA with:
|
You may inspect the newly generated root CA with:
|
||||||
@@ -101,13 +99,10 @@ This step is parametrized with the name of the YubiKey NEO user.
|
|||||||
Generate new management code, PIN and PUK as follows:
|
Generate new management code, PIN and PUK as follows:
|
||||||
|
|
||||||
user=Simon
|
user=Simon
|
||||||
|
|
||||||
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
|
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
|
||||||
echo $key > yubico-internal-https-$user-key.txt
|
echo $key > yubico-internal-https-$user-key.txt
|
||||||
|
|
||||||
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
|
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
|
||||||
echo $pin > yubico-internal-https-$user-pin.txt
|
echo $pin > yubico-internal-https-$user-pin.txt
|
||||||
|
|
||||||
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
|
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
|
||||||
echo $puk > yubico-internal-https-$user-puk.txt
|
echo $puk > yubico-internal-https-$user-puk.txt
|
||||||
|
|
||||||
@@ -136,7 +131,7 @@ Generate the private key:
|
|||||||
|
|
||||||
openssl genrsa -out yubico-internal-https-subca-$user-key.pem 2048
|
openssl genrsa -out yubico-internal-https-subca-$user-key.pem 2048
|
||||||
|
|
||||||
Generate the Sub-CA certificate:
|
Generate the Sub-CA certificate request:
|
||||||
|
|
||||||
cat>yubico-internal-https-subca-$user-csr.conf<<EOF
|
cat>yubico-internal-https-subca-$user-csr.conf<<EOF
|
||||||
[ req ]
|
[ req ]
|
||||||
@@ -145,16 +140,15 @@ Generate the Sub-CA certificate:
|
|||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
CN=Yubico Internal HTTPS $user Sub-CA
|
CN=Yubico Internal HTTPS $user Sub-CA
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
openssl req -sha256 -new -config yubico-internal-https-subca-$user-csr.conf -key yubico-internal-https-subca-$user-key.pem -nodes -out yubico-internal-https-subca-$user-csr.pem
|
openssl req -sha256 -new -config yubico-internal-https-subca-$user-csr.conf -key yubico-internal-https-subca-$user-key.pem -nodes -out yubico-internal-https-subca-$user-csr.pem
|
||||||
|
|
||||||
|
Generate the Sub-CA certificate:
|
||||||
|
|
||||||
cat>yubico-internal-https-subca-$user-crt.conf<<EOF
|
cat>yubico-internal-https-subca-$user-crt.conf<<EOF
|
||||||
basicConstraints = CA:true, pathlen:0
|
basicConstraints = CA:true, pathlen:0
|
||||||
keyUsage=critical, keyCertSign
|
keyUsage=critical, keyCertSign
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
openssl x509 -sha256 -CA yubico-internal-https-ca-crt.pem -CAkey yubico-internal-https-ca-key.pem -req -in yubico-internal-https-subca-$user-csr.pem -extfile yubico-internal-https-subca-$user-crt.conf -out yubico-internal-https-subca-$user-crt.pem
|
openssl x509 -sha256 -CA yubico-internal-https-ca-crt.pem -CAkey yubico-internal-https-ca-key.pem -req -in yubico-internal-https-subca-$user-csr.pem -extfile yubico-internal-https-subca-$user-crt.conf -out yubico-internal-https-subca-$user-crt.pem
|
||||||
|
|
||||||
echo 00 > yubico-internal-https-subca-$user-crt.srl
|
echo 00 > yubico-internal-https-subca-$user-crt.srl
|
||||||
|
|
||||||
You may inspect the newly generated EE cert with this command:
|
You may inspect the newly generated EE cert with this command:
|
||||||
@@ -181,7 +175,6 @@ Sub-CA used to sign the EE, so set it first:
|
|||||||
Then generate a new private key and certificate request:
|
Then generate a new private key and certificate request:
|
||||||
|
|
||||||
openssl genrsa -out yubico-internal-https-ee-$host-key.pem 2048
|
openssl genrsa -out yubico-internal-https-ee-$host-key.pem 2048
|
||||||
|
|
||||||
cat>yubico-internal-https-ee-$host-csr.conf<<EOF
|
cat>yubico-internal-https-ee-$host-csr.conf<<EOF
|
||||||
[ req ]
|
[ req ]
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
@@ -195,11 +188,10 @@ Then sign the certificate using the NEO:
|
|||||||
|
|
||||||
cat>yubico-internal-https-ee-$host-crt.conf<<EOF
|
cat>yubico-internal-https-ee-$host-crt.conf<<EOF
|
||||||
EOF
|
EOF
|
||||||
|
openssl << EOF
|
||||||
openssl << EOT
|
|
||||||
engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE
|
engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE
|
||||||
x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA yubico-internal-https-subca-$user-crt.pem -req -passin pass:$pin -in yubico-internal-https-ee-$host-csr.pem -extfile yubico-internal-https-ee-$host-crt.conf -out yubico-internal-https-ee-$host-crt.pem
|
x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA yubico-internal-https-subca-$user-crt.pem -req -passin pass:$pin -in yubico-internal-https-ee-$host-csr.pem -extfile yubico-internal-https-ee-$host-crt.conf -out yubico-internal-https-ee-$host-crt.pem
|
||||||
EOT
|
EOF
|
||||||
|
|
||||||
You may inspect the newly generated EE cert with this command:
|
You may inspect the newly generated EE cert with this command:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user