This commit is contained in:
Simon Josefsson
2014-10-01 14:26:01 +02:00
parent c310969973
commit 3052bc4bd6
+7 -15
View File
@@ -80,9 +80,7 @@ counter as follows:
permitted;IP.0=0.0.0.0/255.255.255.255 permitted;IP.0=0.0.0.0/255.255.255.255
permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff permitted;IP.1=::/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
EOF EOF
openssl req -new -sha256 -x509 -set_serial 1 -days 1 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem openssl req -new -sha256 -x509 -set_serial 1 -days 1 -config yubico-internal-https-ca.conf -key yubico-internal-https-ca-key.pem -out yubico-internal-https-ca-crt.pem
echo 01 > yubico-internal-https-ca-crt.srl echo 01 > yubico-internal-https-ca-crt.srl
You may inspect the newly generated root CA with: You may inspect the newly generated root CA with:
@@ -101,13 +99,10 @@ This step is parametrized with the name of the YubiKey NEO user.
Generate new management code, PIN and PUK as follows: Generate new management code, PIN and PUK as follows:
user=Simon user=Simon
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key > yubico-internal-https-$user-key.txt echo $key > yubico-internal-https-$user-key.txt
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6` pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
echo $pin > yubico-internal-https-$user-pin.txt echo $pin > yubico-internal-https-$user-pin.txt
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk > yubico-internal-https-$user-puk.txt echo $puk > yubico-internal-https-$user-puk.txt
@@ -136,7 +131,7 @@ Generate the private key:
openssl genrsa -out yubico-internal-https-subca-$user-key.pem 2048 openssl genrsa -out yubico-internal-https-subca-$user-key.pem 2048
Generate the Sub-CA certificate: Generate the Sub-CA certificate request:
cat>yubico-internal-https-subca-$user-csr.conf<<EOF cat>yubico-internal-https-subca-$user-csr.conf<<EOF
[ req ] [ req ]
@@ -145,16 +140,15 @@ Generate the Sub-CA certificate:
[ req_distinguished_name ] [ req_distinguished_name ]
CN=Yubico Internal HTTPS $user Sub-CA CN=Yubico Internal HTTPS $user Sub-CA
EOF EOF
openssl req -sha256 -new -config yubico-internal-https-subca-$user-csr.conf -key yubico-internal-https-subca-$user-key.pem -nodes -out yubico-internal-https-subca-$user-csr.pem openssl req -sha256 -new -config yubico-internal-https-subca-$user-csr.conf -key yubico-internal-https-subca-$user-key.pem -nodes -out yubico-internal-https-subca-$user-csr.pem
Generate the Sub-CA certificate:
cat>yubico-internal-https-subca-$user-crt.conf<<EOF cat>yubico-internal-https-subca-$user-crt.conf<<EOF
basicConstraints = CA:true, pathlen:0 basicConstraints = CA:true, pathlen:0
keyUsage=critical, keyCertSign keyUsage=critical, keyCertSign
EOF EOF
openssl x509 -sha256 -CA yubico-internal-https-ca-crt.pem -CAkey yubico-internal-https-ca-key.pem -req -in yubico-internal-https-subca-$user-csr.pem -extfile yubico-internal-https-subca-$user-crt.conf -out yubico-internal-https-subca-$user-crt.pem openssl x509 -sha256 -CA yubico-internal-https-ca-crt.pem -CAkey yubico-internal-https-ca-key.pem -req -in yubico-internal-https-subca-$user-csr.pem -extfile yubico-internal-https-subca-$user-crt.conf -out yubico-internal-https-subca-$user-crt.pem
echo 00 > yubico-internal-https-subca-$user-crt.srl echo 00 > yubico-internal-https-subca-$user-crt.srl
You may inspect the newly generated EE cert with this command: You may inspect the newly generated EE cert with this command:
@@ -181,7 +175,6 @@ Sub-CA used to sign the EE, so set it first:
Then generate a new private key and certificate request: Then generate a new private key and certificate request:
openssl genrsa -out yubico-internal-https-ee-$host-key.pem 2048 openssl genrsa -out yubico-internal-https-ee-$host-key.pem 2048
cat>yubico-internal-https-ee-$host-csr.conf<<EOF cat>yubico-internal-https-ee-$host-csr.conf<<EOF
[ req ] [ req ]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
@@ -195,11 +188,10 @@ Then sign the certificate using the NEO:
cat>yubico-internal-https-ee-$host-crt.conf<<EOF cat>yubico-internal-https-ee-$host-crt.conf<<EOF
EOF EOF
openssl << EOF
openssl << EOT engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE
engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA yubico-internal-https-subca-$user-crt.pem -req -passin pass:$pin -in yubico-internal-https-ee-$host-csr.pem -extfile yubico-internal-https-ee-$host-crt.conf -out yubico-internal-https-ee-$host-crt.pem
x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA yubico-internal-https-subca-$user-crt.pem -req -passin pass:$pin -in yubico-internal-https-ee-$host-csr.pem -extfile yubico-internal-https-ee-$host-crt.conf -out yubico-internal-https-ee-$host-crt.pem EOF
EOT
You may inspect the newly generated EE cert with this command: You may inspect the newly generated EE cert with this command: