Replace YubiKey NEO with YubiKey.

This commit is contained in:
Alessio Di Mauro
2015-11-06 13:39:21 +01:00
parent d38df01c6c
commit f5b1081f00
9 changed files with 32 additions and 32 deletions
+1 -1
View File
@@ -31,7 +31,7 @@ ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl
EXTRA_DIST += doc/Certificate_Authority_with_NEO.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YubiKey_NEO_PIV_introduction.adoc EXTRA_DIST += doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YubiKey_PIV_introduction.adoc
if ENABLE_COV if ENABLE_COV
cov-reset: cov-reset:
+1 -1
View File
@@ -5,7 +5,7 @@ Introduction
------------ ------------
The Yubico PIV tool is used for interacting with the Privilege and The Yubico PIV tool is used for interacting with the Privilege and
Identification Card (PIV) application on a https://www.yubico.com[YubiKey NEO]. Identification Card (PIV) application on a https://www.yubico.com[YubiKey].
With it you may generate keys on the device, importing keys and With it you may generate keys on the device, importing keys and
certificates, and create certificate requests, and other operations. certificates, and create certificate requests, and other operations.
@@ -1,8 +1,8 @@
Certificate Authority with NEO Certificate Authority with
------------------------------ ------------------------------
This document explains how to set up a Certificate Authority (CA) with This document explains how to set up a Certificate Authority (CA) with
Sub-CA private keys stored on YubiKey NEOs. Typical use for this is Sub-CA private keys stored on YubiKeys. Typical use for this is
to generate HTTPS certificates for internal servers. to generate HTTPS certificates for internal servers.
Considerations Considerations
@@ -10,12 +10,12 @@ Considerations
For our example, we have chosen to use one root CA with a private key For our example, we have chosen to use one root CA with a private key
stored in an offline machine, that signs sub-CAs with private keys stored in an offline machine, that signs sub-CAs with private keys
stored on YubiKey NEOs, which signs end-entity (EE) certs. We'll stored on YubiKeys, which signs end-entity (EE) certs. We'll
generate the Sub-CA private keys on an offline host and save a copy of generate the Sub-CA private keys on an offline host and save a copy of
those keys. those keys.
We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit We have chosen to use a RSA 3744 bit root CA key, and RSA 2048 bit
keys for the NEO Sub-CAs and EE certificates. The NEO is limited to keys for the Sub-CAs and EE certificates. The is limited to
RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that RSA 1k and 2k keys (it supports ECDSA too but we chose to not use that
here). here).
@@ -39,7 +39,7 @@ offline machine, booted from a LiveCD. Some additional packages may
be required (pcscd, etc, see below) and will have to be transferred on be required (pcscd, etc, see below) and will have to be transferred on
a USB stick. a USB stick.
You need a YubiKey NEO with the PIV application on, which you can purchase You need a YubiKey with the PIV application on, which you can purchase
from Yubico. from Yubico.
You need to install the PKCS#11 Engine: You need to install the PKCS#11 Engine:
@@ -89,15 +89,15 @@ You may inspect the newly generated root CA with:
openssl x509 -text < yubico-internal-https-ca-crt.pem openssl x509 -text < yubico-internal-https-ca-crt.pem
Preparing a Sub-CA NEO Preparing a Sub-CA
---------------------- ----------------------
We need to change the management key, PIN and PUK code following the We need to change the management key, PIN and PUK code following the
YubiKey-NEO-PIV-Introduction.txt document. We also want to save a YubiKey-PIV-Introduction.txt document. We also want to save a
copy of these values. Here are the steps that are needed to be done copy of these values. Here are the steps that are needed to be done
for each new Sub-CA NEO. for each new Sub-CA.
This step is parametrized with the name of the YubiKey NEO user. This step is parametrized with the name of the YubiKey user.
Generate new management code, PIN and PUK as follows: Generate new management code, PIN and PUK as follows:
user=Simon user=Simon
@@ -108,7 +108,7 @@ Generate new management code, PIN and PUK as follows:
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk > yubico-internal-https-$user-puk.txt echo $puk > yubico-internal-https-$user-puk.txt
Configure a fresh NEO with these parameters as follows: Configure a fresh with these parameters as follows:
yubico-piv-tool -a set-mgm-key -n $key yubico-piv-tool -a set-mgm-key -n $key
yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin yubico-piv-tool -k $key -a change-pin -P 123456 -N $pin
@@ -117,7 +117,7 @@ Configure a fresh NEO with these parameters as follows:
Creating a Sub-CA Creating a Sub-CA
----------------- -----------------
This step is parametrized with the name of the YubiKey NEO user. This This step is parametrized with the name of the YubiKey user. This
means we will have one Sub-CA for every person authorized to sign means we will have one Sub-CA for every person authorized to sign
certificates in our CA. certificates in our CA.
@@ -157,11 +157,11 @@ You may inspect the newly generated EE cert with this command:
openssl x509 -text < yubico-internal-https-subca-$user-crt.pem openssl x509 -text < yubico-internal-https-subca-$user-crt.pem
Import Sub-CA key to NEO: Import Sub-CA key to:
yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem yubico-piv-tool -k $key -a import-key -s 9c < yubico-internal-https-subca-$user-key.pem
Import Sub-CA cert to NEO: Import Sub-CA cert to:
yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem yubico-piv-tool -k $key -a import-certificate -s 9c < yubico-internal-https-subca-$user-crt.pem
@@ -190,7 +190,7 @@ Then generate a new private key and certificate request:
EOF EOF
openssl req -sha256 -new -config yubico-internal-https-ee-$host-csr.conf -key yubico-internal-https-ee-$host-key.pem -nodes -out yubico-internal-https-ee-$host-csr.pem openssl req -sha256 -new -config yubico-internal-https-ee-$host-csr.conf -key yubico-internal-https-ee-$host-key.pem -nodes -out yubico-internal-https-ee-$host-csr.pem
Then sign the certificate using the NEO: Then sign the certificate using the:
cat>yubico-internal-https-ee-$host-crt.conf<<EOF cat>yubico-internal-https-ee-$host-crt.conf<<EOF
basicConstraints = critical,CA:false basicConstraints = critical,CA:false
+4 -4
View File
@@ -1,14 +1,14 @@
Request, load and use OS X code signing certificates Request, load and use OS X code signing certificates
--------------------------------------------------- ---------------------------------------------------
This is a short step-by-step on how to generate a key in the Neo, This is a short step-by-step on how to generate a key in the,
create a certificate request, submit that request to apple, load the create a certificate request, submit that request to apple, load the
certificate in the Neo and use it for code signing. certificate in the and use it for code signing.
Prerequisites Prerequisites
------------- -------------
* a YubiKey Neo with the PIV application loaded * a YubiKey with the PIV application loaded
* the yubico-piv-tool software * the yubico-piv-tool software
* the OpenSC software * the OpenSC software
* membership in the mac developer program * membership in the mac developer program
@@ -49,7 +49,7 @@ NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and im
$ yubico-piv-tool -a set-chuid $ yubico-piv-tool -a set-chuid
9. Re-plug the Neo and make sure the certificates show up under the keychain 9. Re-plug the and make sure the certificates show up under the keychain
"PIV_II" in Keychain Access. "PIV_II" in Keychain Access.
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign 10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
+2 -2
View File
@@ -1,14 +1,14 @@
Using PIV for SSH through PKCS11 Using PIV for SSH through PKCS11
-------------------------------- --------------------------------
This is a step-by-step for how to get a Neo with PIV to work for This is a step-by-step for how to get a with PIV to work for
public-key authentication with OpenSSH through PKCS11. public-key authentication with OpenSSH through PKCS11.
Primarily on a OS X or Linux system. Primarily on a OS X or Linux system.
Prerequisites Prerequisites
------------- -------------
* a YubiKey Neo with the PIV application loaded * a YubiKey with the PIV application loaded
* the yubico-piv-tool software * the yubico-piv-tool software
* the OpenSC software * the OpenSC software
* OpenSSH * OpenSSH
+4 -4
View File
@@ -1,14 +1,14 @@
Request and load a certificate from Windows CA Request and load a certificate from Windows CA
---------------------------------------------- ----------------------------------------------
This is a short step-by-step on how to generate a key in the Neo, This is a short step-by-step on how to generate a key in the,
create a certificate request, submit that request to a Windows CA create a certificate request, submit that request to a Windows CA
and then load the certificate in the Neo. and then load the certificate in the.
Prerequisites Prerequisites
------------- -------------
* a YubiKey Neo with the PIV application loaded * a YubiKey with the PIV application loaded
* the yubico-piv-tool software * the yubico-piv-tool software
* credentials to request certs from a Windows CA * credentials to request certs from a Windows CA
@@ -29,7 +29,7 @@ Steps
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt
4. Load the certificate in the Neo: 4. Load the certificate in the:
yubico-piv-tool -s 9a -a import-certificate -i cert.crt yubico-piv-tool -s 9a -a import-certificate -i cert.crt
@@ -1,7 +1,7 @@
Introduction to the YubiKey NEO PIV Application Introduction to the YubiKey PIV Application
=============================================== ===============================================
The YubiKey NEO supports the Personal Identity Verification (PIV) card The YubiKey supports the Personal Identity Verification (PIV) card
interface specified in NIST SP 800-73 document "Cryptographic interface specified in NIST SP 800-73 document "Cryptographic
Algorithms and Key Sizes for PIV". This enables you to perform RSA or Algorithms and Key Sizes for PIV". This enables you to perform RSA or
ECC sign/decrypt operations using a private key stored on the ECC sign/decrypt operations using a private key stored on the
@@ -29,11 +29,11 @@ The maximum size of stored objects is 2005 bytes.
Currently all functionality are available over both contact and Currently all functionality are available over both contact and
contactless interfaces (contrary to what the specifications mandate). contactless interfaces (contrary to what the specifications mandate).
Preparing a NEO for real use Preparing a for real use
---------------------------- ----------------------------
You would typically change the management key to make sure nobody but You would typically change the management key to make sure nobody but
you can modify the state of the PIV application on the NEO. Make sure to you can modify the state of the PIV application on the. Make sure to
keep a copy of the key around for later use. keep a copy of the key around for later use.
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
+1 -1
View File
@@ -30,7 +30,7 @@
For more information about what's happening --verbose can be added For more information about what's happening --verbose can be added
to any command. For much more information --verbose=2 may be used. to any command. For much more information --verbose=2 may be used.
Display what version of the application is running on the YubiKey Neo: Display what version of the application is running on the YubiKey:
yubico-piv-tool -a version yubico-piv-tool -a version
+1 -1
View File
@@ -30,7 +30,7 @@
For more information about what's happening \-\-verbose can be added For more information about what's happening \-\-verbose can be added
to any command. For much more information \-\-verbose=2 may be used. to any command. For much more information \-\-verbose=2 may be used.
Display what version of the application is running on the YubiKey Neo: Display what version of the application is running on the YubiKey:
yubico\-piv\-tool \-a version yubico\-piv\-tool \-a version