YubiKey PIV Manager

hegars

Importing a SSH key to the PIV smartcard.

https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html

PS C:\Program Files (x86)\Yubico\YubiKey PIV Manager>

.\yubico-piv-tool.exe -a import-key -s 9a -i hegars.key.pem -k
Enter management key:
Successfully imported a new private key.

Get the PEM formatted PUB key
openssl rsa -in hegars.key.pem -pubout -out hegars.pub.pem

.\yubico-piv-tool.exe -a verify-pin -a selfsign-certificate -s 9a -S “/CN=hegars/OU=hegars/O=hegars.com/” -i hegars.pub.pem -o cert.pem
Enter PIN:
Successfully verified PIN.
Successfully generated a new self signed certificate.

.\yubico-piv-tool.exe -a import-certificate -s 9a -i cert.pem -k
Enter management key:
Successfully imported a new certificate.

 

Logging in with ssh 

hegars@debian:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so server.hegars.com
Enter PIN for ‘PIV_II (PIV Card Holder pin)’:
Linux server 4.15.13-x86_64#1 SMP Tue Mar 27 14:42:14 UTC 2018 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Mon Jun 11 13:08:51 2018 from 1.2.3.4
hegars@server:~$

Set in ~/.ssh/config environment variable

PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

hegars@debian:~$ ssh server.hegars.com
Enter PIN for ‘PIV_II (PIV Card Holder pin)’:
Linux server 4.15.13-x86_64#1 SMP Tue Mar 27 14:42:14 UTC 2018 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Mon Jun 11 13:09:17 2018 from 1.2.3.4
hegars@server:~$

Read and convert the certificate from the sim card

hegars@debian:~$ pkcs15-tool –read-certificate 01 | openssl x509 –noout -text
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
….
….
hegars@debian:~$

Related Posts