diff --git a/Makefile.am b/Makefile.am index 039a8f9..88d5fc4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,7 +31,7 @@ ACLOCAL_AMFLAGS = -I m4 EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl -EXTRA_DIST += doc/Certificate_Authority_with_NEO.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YubiKey_NEO_PIV_introduction.adoc +EXTRA_DIST += doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YubiKey_PIV_introduction.adoc if ENABLE_COV cov-reset: diff --git a/README b/README index bf95820..0215259 100644 --- a/README +++ b/README @@ -5,7 +5,7 @@ Introduction ------------ The Yubico PIV tool is used for interacting with the Privilege and -Identification Card (PIV) application on a https://www.yubico.com[YubiKey NEO]. +Identification Card (PIV) application on a https://www.yubico.com[YubiKey]. With it you may generate keys on the device, importing keys and certificates, and create certificate requests, and other operations. diff --git a/doc/Certificate_Authority_with_NEO.adoc b/doc/Certificate_Authority.adoc similarity index 90% rename from doc/Certificate_Authority_with_NEO.adoc rename to doc/Certificate_Authority.adoc index dd0687c..7847cb4 100644 --- a/doc/Certificate_Authority_with_NEO.adoc +++ b/doc/Certificate_Authority.adoc @@ -1,8 +1,8 @@ -Certificate Authority with NEO +Certificate Authority with ------------------------------ This document explains how to set up a Certificate Authority (CA) with -Sub-CA private keys stored on YubiKey NEOs. Typical use for this is +Sub-CA private keys stored on YubiKeys. Typical use for this is to generate HTTPS certificates for internal servers. Considerations @@ -10,12 +10,12 @@ Considerations For our example, we have chosen to use one root CA with a private key stored in an offline machine, that signs sub-CAs with private keys -stored on YubiKey NEOs, which signs end-entity (EE) certs. We'll +stored on YubiKeys, which signs end-entity (EE) certs. We'll generate the Sub-CA private keys on an offline host and save a copy of those keys. We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit -keys for the NEO Sub-CAs and EE certificates. The NEO is limited to +keys for the Sub-CAs and EE certificates. The is limited to RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that here). @@ -39,7 +39,7 @@ offline machine, booted from a LiveCD. Some additional packages may be required (pcscd, etc, see below) and will have to be transferred on a USB stick. -You need a YubiKey NEO with the PIV application on, which you can purchase +You need a YubiKey with the PIV application on, which you can purchase from Yubico. You need to install the PKCS#11 Engine: @@ -89,15 +89,15 @@ You may inspect the newly generated root CA with: openssl x509 -text < yubico-internal-https-ca-crt.pem -Preparing a Sub-CA NEO +Preparing a Sub-CA ---------------------- We need to change the management key, PIN and PUK code following the -YubiKey-NEO-PIV-Introduction.txt document. We also want to save a +YubiKey-PIV-Introduction.txt document. We also want to save a copy of these values. Here are the steps that are needed to be done -for each new Sub-CA NEO. +for each new Sub-CA. -This step is parametrized with the name of the YubiKey NEO user. +This step is parametrized with the name of the YubiKey user. Generate new management code, PIN and PUK as follows: user=Simon @@ -108,7 +108,7 @@ Generate new management code, PIN and PUK as follows: puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` echo $puk > yubico-internal-https-$user-puk.txt -Configure a fresh NEO with these parameters as follows: +Configure a fresh with these parameters as follows: yubico-piv-tool -a set-mgm-key -n $key yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin @@ -117,7 +117,7 @@ Configure a fresh NEO with these parameters as follows: Creating a Sub-CA ----------------- -This step is parametrized with the name of the YubiKey NEO user. This +This step is parametrized with the name of the YubiKey user. This means we will have one Sub-CA for every person authorized to sign certificates in our CA. @@ -157,11 +157,11 @@ You may inspect the newly generated EE cert with this command: openssl x509 -text < yubico-internal-https-subca-$user-crt.pem -Import Sub-CA key to NEO: +Import Sub-CA key to: yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem -Import Sub-CA cert to NEO: +Import Sub-CA cert to: yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem @@ -190,7 +190,7 @@ Then generate a new private key and certificate request: EOF openssl req -sha256 -new -config yubico-internal-https-ee-$host-csr.conf -key yubico-internal-https-ee-$host-key.pem -nodes -out yubico-internal-https-ee-$host-csr.pem -Then sign the certificate using the NEO: +Then sign the certificate using the: cat>yubico-internal-https-ee-$host-crt.conf</dev/null | hexdump -v -e '/1 "%02X"'` diff --git a/tool/yubico-piv-tool.adoc b/tool/yubico-piv-tool.adoc index cbe17e5..1ed8ad9 100644 --- a/tool/yubico-piv-tool.adoc +++ b/tool/yubico-piv-tool.adoc @@ -30,7 +30,7 @@ For more information about what's happening --verbose can be added to any command. For much more information --verbose=2 may be used. -Display what version of the application is running on the YubiKey Neo: +Display what version of the application is running on the YubiKey: yubico-piv-tool -a version diff --git a/tool/yubico-piv-tool.h2m b/tool/yubico-piv-tool.h2m index f4925fc..8987cf1 100644 --- a/tool/yubico-piv-tool.h2m +++ b/tool/yubico-piv-tool.h2m @@ -30,7 +30,7 @@ For more information about what's happening \-\-verbose can be added to any command. For much more information \-\-verbose=2 may be used. -Display what version of the application is running on the YubiKey Neo: +Display what version of the application is running on the YubiKey: yubico\-piv\-tool \-a version