44 lines
1.4 KiB
Plaintext
44 lines
1.4 KiB
Plaintext
Request and load a certificate from Windows CA
|
|
----------------------------------------------
|
|
|
|
This is a short step-by-step on how to generate a key on a YubiKey,
|
|
create a certificate request, submit that request to a Windows CA
|
|
and then load the certificate on the YubiKey.
|
|
|
|
Prerequisites
|
|
-------------
|
|
|
|
* a YubiKey with the PIV application loaded
|
|
* the yubico-piv-tool software
|
|
* credentials to request certs from a Windows CA
|
|
|
|
Steps
|
|
-----
|
|
|
|
1. Generate the key:
|
|
(--key[=STRING] is needed if the management key value is no longer the default value)
|
|
|
|
yubico-piv-tool -s 9a -a generate -o public.pem --key[=STRING]
|
|
|
|
|
|
2. Request a certificate:
|
|
|
|
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
|
|
-S "/CN=example/O=test/" -i public.pem -o request.csr
|
|
|
|
3. Submit the request to the Windows CA:
|
|
(this step must be run on a windows machine that know about the CA)
|
|
|
|
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt
|
|
|
|
4. Load the certificate on the YubiKe:
|
|
(--key[=STRING] is needed if the management key value is not the default value)
|
|
|
|
yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING]
|
|
|
|
5. For it to be useful in windows a chuid must be set as well:
|
|
(only if that wasn't done earlier)
|
|
(--key[=STRING] is needed if the management key value is no longer the default value)
|
|
|
|
yubico-piv-tool -a set-chuid --key[=STRING]
|