Fix a few typos in the documentation
This commit is contained in:
@@ -1,5 +1,5 @@
|
|||||||
Certificate Authority with
|
Certificate Authority with a YubiKey
|
||||||
------------------------------
|
------------------------------------
|
||||||
|
|
||||||
This document explains how to set up a Certificate Authority (CA) with
|
This document explains how to set up a Certificate Authority (CA) with
|
||||||
Sub-CA private keys stored on YubiKeys. Typical use for this is
|
Sub-CA private keys stored on YubiKeys. Typical use for this is
|
||||||
@@ -15,7 +15,7 @@ generate the Sub-CA private keys on an offline host and save a copy of
|
|||||||
those keys.
|
those keys.
|
||||||
|
|
||||||
We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit
|
We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit
|
||||||
keys for the Sub-CAs and EE certificates. The is limited to
|
keys for the Sub-CAs and EE certificates. The YubiKey is limited to
|
||||||
RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that
|
RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that
|
||||||
here).
|
here).
|
||||||
|
|
||||||
@@ -108,7 +108,7 @@ Generate new management code, PIN and PUK as follows:
|
|||||||
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
|
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
|
||||||
echo $puk > yubico-internal-https-$user-puk.txt
|
echo $puk > yubico-internal-https-$user-puk.txt
|
||||||
|
|
||||||
Configure a fresh with these parameters as follows:
|
Configure a fresh YubiKey with these parameters as follows:
|
||||||
|
|
||||||
yubico-piv-tool -a set-mgm-key -n $key
|
yubico-piv-tool -a set-mgm-key -n $key
|
||||||
yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
|
yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
|
||||||
@@ -157,11 +157,11 @@ You may inspect the newly generated EE cert with this command:
|
|||||||
|
|
||||||
openssl x509 -text < yubico-internal-https-subca-$user-crt.pem
|
openssl x509 -text < yubico-internal-https-subca-$user-crt.pem
|
||||||
|
|
||||||
Import Sub-CA key to:
|
Import Sub-CA key to the YubiKey:
|
||||||
|
|
||||||
yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem
|
yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem
|
||||||
|
|
||||||
Import Sub-CA cert to:
|
Import Sub-CA cert to the YubiKey:
|
||||||
|
|
||||||
yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem
|
yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
Request, load and use OS X code signing certificates
|
Request, load and use OS X code signing certificates
|
||||||
---------------------------------------------------
|
---------------------------------------------------
|
||||||
|
|
||||||
This is a short step-by-step on how to generate a key in the,
|
This is a short step-by-step on how to generate a key on a YubiKey,
|
||||||
create a certificate request, submit that request to apple, load the
|
create a certificate request, submit that request to apple, load the
|
||||||
certificate in the and use it for code signing.
|
certificate in the YubiKey and use it for code signing.
|
||||||
|
|
||||||
Prerequisites
|
Prerequisites
|
||||||
-------------
|
-------------
|
||||||
@@ -49,7 +49,7 @@ NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and im
|
|||||||
|
|
||||||
$ yubico-piv-tool -a set-chuid
|
$ yubico-piv-tool -a set-chuid
|
||||||
|
|
||||||
9. Re-plug the and make sure the certificates show up under the keychain
|
9. Re-plug the YubiKey and make sure the certificates show up under the keychain
|
||||||
"PIV_II" in Keychain Access.
|
"PIV_II" in Keychain Access.
|
||||||
|
|
||||||
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
|
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
Using PIV for SSH through PKCS11
|
Using PIV for SSH through PKCS11
|
||||||
--------------------------------
|
--------------------------------
|
||||||
|
|
||||||
This is a step-by-step for how to get a with PIV to work for
|
This is a step-by-step for how to get a YubiKey with PIV to work for
|
||||||
public-key authentication with OpenSSH through PKCS11.
|
public-key authentication with OpenSSH through PKCS11.
|
||||||
Primarily on a OS X or Linux system.
|
Primarily on a OS X or Linux system.
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
Request and load a certificate from Windows CA
|
Request and load a certificate from Windows CA
|
||||||
----------------------------------------------
|
----------------------------------------------
|
||||||
|
|
||||||
This is a short step-by-step on how to generate a key in the,
|
This is a short step-by-step on how to generate a key on a YubiKey,
|
||||||
create a certificate request, submit that request to a Windows CA
|
create a certificate request, submit that request to a Windows CA
|
||||||
and then load the certificate in the.
|
and then load the certificate on the YubiKey.
|
||||||
|
|
||||||
Prerequisites
|
Prerequisites
|
||||||
-------------
|
-------------
|
||||||
@@ -31,7 +31,7 @@ Steps
|
|||||||
|
|
||||||
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt
|
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt
|
||||||
|
|
||||||
4. Load the certificate in the:
|
4. Load the certificate on the YubiKe:
|
||||||
(--key[=STRING] is needed if the management key value is not the default value)
|
(--key[=STRING] is needed if the management key value is not the default value)
|
||||||
|
|
||||||
yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING]
|
yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING]
|
||||||
|
|||||||
@@ -29,8 +29,8 @@ The maximum size of stored objects is 2005 bytes.
|
|||||||
Currently all functionality are available over both contact and
|
Currently all functionality are available over both contact and
|
||||||
contactless interfaces (contrary to what the specifications mandate).
|
contactless interfaces (contrary to what the specifications mandate).
|
||||||
|
|
||||||
Preparing a for real use
|
Preparing a YubiKey for real use
|
||||||
------------------------
|
--------------------------------
|
||||||
|
|
||||||
You would typically change the management key to make sure nobody but
|
You would typically change the management key to make sure nobody but
|
||||||
you can modify the state of the PIV application on the YubiKey. Make sure to
|
you can modify the state of the PIV application on the YubiKey. Make sure to
|
||||||
|
|||||||
Reference in New Issue
Block a user