diff --git a/doc/Certificate_Authority.adoc b/doc/Certificate_Authority.adoc index 7847cb4..13a96fb 100644 --- a/doc/Certificate_Authority.adoc +++ b/doc/Certificate_Authority.adoc @@ -1,5 +1,5 @@ -Certificate Authority with ------------------------------- +Certificate Authority with a YubiKey +------------------------------------ This document explains how to set up a Certificate Authority (CA) with Sub-CA private keys stored on YubiKeys. Typical use for this is @@ -15,7 +15,7 @@ generate the Sub-CA private keys on an offline host and save a copy of those keys. We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit -keys for the Sub-CAs and EE certificates. The is limited to +keys for the Sub-CAs and EE certificates. The YubiKey is limited to RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that here). @@ -108,7 +108,7 @@ Generate new management code, PIN and PUK as follows: puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` echo $puk > yubico-internal-https-$user-puk.txt -Configure a fresh with these parameters as follows: +Configure a fresh YubiKey with these parameters as follows: yubico-piv-tool -a set-mgm-key -n $key yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin @@ -157,11 +157,11 @@ You may inspect the newly generated EE cert with this command: openssl x509 -text < yubico-internal-https-subca-$user-crt.pem -Import Sub-CA key to: +Import Sub-CA key to the YubiKey: yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem -Import Sub-CA cert to: +Import Sub-CA cert to the YubiKey: yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem diff --git a/doc/OS_X_code_signing.adoc b/doc/OS_X_code_signing.adoc index b58876b..a6f6e81 100644 --- a/doc/OS_X_code_signing.adoc +++ b/doc/OS_X_code_signing.adoc @@ -1,9 +1,9 @@ Request, load and use OS X code signing certificates --------------------------------------------------- -This is a short step-by-step on how to generate a key in the, +This is a short step-by-step on how to generate a key on a YubiKey, create a certificate request, submit that request to apple, load the -certificate in the and use it for code signing. +certificate in the YubiKey and use it for code signing. Prerequisites ------------- @@ -49,7 +49,7 @@ NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and im $ yubico-piv-tool -a set-chuid -9. Re-plug the and make sure the certificates show up under the keychain +9. Re-plug the YubiKey and make sure the certificates show up under the keychain "PIV_II" in Keychain Access. 10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign diff --git a/doc/SSH_with_PIV_and_PKCS11.adoc b/doc/SSH_with_PIV_and_PKCS11.adoc index 5e298f6..ff4b114 100644 --- a/doc/SSH_with_PIV_and_PKCS11.adoc +++ b/doc/SSH_with_PIV_and_PKCS11.adoc @@ -1,7 +1,7 @@ Using PIV for SSH through PKCS11 -------------------------------- -This is a step-by-step for how to get a with PIV to work for +This is a step-by-step for how to get a YubiKey with PIV to work for public-key authentication with OpenSSH through PKCS11. Primarily on a OS X or Linux system. diff --git a/doc/Windows_certificate.adoc b/doc/Windows_certificate.adoc index ffdf6d2..ede262d 100644 --- a/doc/Windows_certificate.adoc +++ b/doc/Windows_certificate.adoc @@ -1,9 +1,9 @@ Request and load a certificate from Windows CA ---------------------------------------------- -This is a short step-by-step on how to generate a key in the, +This is a short step-by-step on how to generate a key on a YubiKey, create a certificate request, submit that request to a Windows CA -and then load the certificate in the. +and then load the certificate on the YubiKey. Prerequisites ------------- @@ -17,9 +17,9 @@ Steps 1. Generate the key: (--key[=STRING] is needed if the management key value is no longer the default value) - + yubico-piv-tool -s 9a -a generate -o public.pem --key[=STRING] - + 2. Request a certificate: @@ -31,7 +31,7 @@ Steps certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt -4. Load the certificate in the: +4. Load the certificate on the YubiKe: (--key[=STRING] is needed if the management key value is not the default value) yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING] diff --git a/doc/YubiKey_PIV_introduction.adoc b/doc/YubiKey_PIV_introduction.adoc index e1c8073..861dce6 100644 --- a/doc/YubiKey_PIV_introduction.adoc +++ b/doc/YubiKey_PIV_introduction.adoc @@ -29,8 +29,8 @@ The maximum size of stored objects is 2005 bytes. Currently all functionality are available over both contact and contactless interfaces (contrary to what the specifications mandate). -Preparing a for real use ------------------------- +Preparing a YubiKey for real use +-------------------------------- You would typically change the management key to make sure nobody but you can modify the state of the PIV application on the YubiKey. Make sure to