Fix a few typos in the documentation

This commit is contained in:
Alessio Di Mauro
2016-08-11 09:32:24 +02:00
parent 572b04a77c
commit 9313cde7eb
5 changed files with 17 additions and 17 deletions
+6 -6
View File
@@ -1,5 +1,5 @@
Certificate Authority with Certificate Authority with a YubiKey
------------------------------ ------------------------------------
This document explains how to set up a Certificate Authority (CA) with This document explains how to set up a Certificate Authority (CA) with
Sub-CA private keys stored on YubiKeys. Typical use for this is Sub-CA private keys stored on YubiKeys. Typical use for this is
@@ -15,7 +15,7 @@ generate the Sub-CA private keys on an offline host and save a copy of
those keys. those keys.
We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit
keys for the Sub-CAs and EE certificates. The is limited to keys for the Sub-CAs and EE certificates. The YubiKey is limited to
RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that
here). here).
@@ -108,7 +108,7 @@ Generate new management code, PIN and PUK as follows:
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk > yubico-internal-https-$user-puk.txt echo $puk > yubico-internal-https-$user-puk.txt
Configure a fresh with these parameters as follows: Configure a fresh YubiKey with these parameters as follows:
yubico-piv-tool -a set-mgm-key -n $key yubico-piv-tool -a set-mgm-key -n $key
yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
@@ -157,11 +157,11 @@ You may inspect the newly generated EE cert with this command:
openssl x509 -text < yubico-internal-https-subca-$user-crt.pem openssl x509 -text < yubico-internal-https-subca-$user-crt.pem
Import Sub-CA key to: Import Sub-CA key to the YubiKey:
yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem
Import Sub-CA cert to: Import Sub-CA cert to the YubiKey:
yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem
+3 -3
View File
@@ -1,9 +1,9 @@
Request, load and use OS X code signing certificates Request, load and use OS X code signing certificates
--------------------------------------------------- ---------------------------------------------------
This is a short step-by-step on how to generate a key in the, This is a short step-by-step on how to generate a key on a YubiKey,
create a certificate request, submit that request to apple, load the create a certificate request, submit that request to apple, load the
certificate in the and use it for code signing. certificate in the YubiKey and use it for code signing.
Prerequisites Prerequisites
------------- -------------
@@ -49,7 +49,7 @@ NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and im
$ yubico-piv-tool -a set-chuid $ yubico-piv-tool -a set-chuid
9. Re-plug the and make sure the certificates show up under the keychain 9. Re-plug the YubiKey and make sure the certificates show up under the keychain
"PIV_II" in Keychain Access. "PIV_II" in Keychain Access.
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign 10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
+1 -1
View File
@@ -1,7 +1,7 @@
Using PIV for SSH through PKCS11 Using PIV for SSH through PKCS11
-------------------------------- --------------------------------
This is a step-by-step for how to get a with PIV to work for This is a step-by-step for how to get a YubiKey with PIV to work for
public-key authentication with OpenSSH through PKCS11. public-key authentication with OpenSSH through PKCS11.
Primarily on a OS X or Linux system. Primarily on a OS X or Linux system.
+5 -5
View File
@@ -1,9 +1,9 @@
Request and load a certificate from Windows CA Request and load a certificate from Windows CA
---------------------------------------------- ----------------------------------------------
This is a short step-by-step on how to generate a key in the, This is a short step-by-step on how to generate a key on a YubiKey,
create a certificate request, submit that request to a Windows CA create a certificate request, submit that request to a Windows CA
and then load the certificate in the. and then load the certificate on the YubiKey.
Prerequisites Prerequisites
------------- -------------
@@ -17,9 +17,9 @@ Steps
1. Generate the key: 1. Generate the key:
(--key[=STRING] is needed if the management key value is no longer the default value) (--key[=STRING] is needed if the management key value is no longer the default value)
yubico-piv-tool -s 9a -a generate -o public.pem --key[=STRING] yubico-piv-tool -s 9a -a generate -o public.pem --key[=STRING]
2. Request a certificate: 2. Request a certificate:
@@ -31,7 +31,7 @@ Steps
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt
4. Load the certificate in the: 4. Load the certificate on the YubiKe:
(--key[=STRING] is needed if the management key value is not the default value) (--key[=STRING] is needed if the management key value is not the default value)
yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING] yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING]
+2 -2
View File
@@ -29,8 +29,8 @@ The maximum size of stored objects is 2005 bytes.
Currently all functionality are available over both contact and Currently all functionality are available over both contact and
contactless interfaces (contrary to what the specifications mandate). contactless interfaces (contrary to what the specifications mandate).
Preparing a for real use Preparing a YubiKey for real use
------------------------ --------------------------------
You would typically change the management key to make sure nobody but You would typically change the management key to make sure nobody but
you can modify the state of the PIV application on the YubiKey. Make sure to you can modify the state of the PIV application on the YubiKey. Make sure to