Update formatting

Yubikey Notes.md

@@ -8,11 +8,12 @@ brew install ykman
 ```
 
 When plugging in the yubikey, you can close the keyboard setup assistant. 
+
 ## Yubikey setup with AWS CA
 
 Notably, this does not include any of the Yubikey lockdown work to secure them.
 
-1. Reset the Yubikey PIV (optional)
+### Reset the Yubikey PIV (optional)
 
 ```
 yubico-piv-tool -a reset
@@ -20,14 +21,15 @@ yubico-piv-tool -a reset
 
 If you get `Reset failed, are pincodes blocked?`, reset via the YubiKey Manager
 
-1. Make the PIV generate some things
+### Make the PIV generate some things
+
 ```
 yubico-piv-tool -a set-chuid
 yubico-piv-tool -a set-ccc
 ```
 
+### Change the PIN:
 
-1. Change the PIN:
 ```
 yubico-piv-tool -achange-pin -P123456
 Enter new pin:
@@ -35,30 +37,34 @@ Verifying - Enter new pin:
 Successfully changed the pin code.
 
 ```
-1. Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed.
+
+### Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed.
 
 ```
 yubico-piv-tool --action=generate -s 9a -o tmp.pub
 ```
 
-1. Generate a CSR
+### Generate a CSR
+
 ```
 yubico-piv-tool --action=verify --action=request --subject="/CN=brad.poulton@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr
 ```
 
-1. Reencode the CSR
+### Reencode the CSR
 
 To reencode as base64:
+
 ```
 openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64
 ```
 
-1. Sign the CSR
+### Sign the CSR
 
 * For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov) 
 * Validity is currently 2 years + 90 day grace period = 820 days
 
 For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html
+
 ```
 cat <<EOF > tmp.policy
 {
@@ -75,7 +81,9 @@ cat <<EOF > tmp.policy
 }
 EOF
 ```
+
 Maybe:
+
 ```
     "OtherName": {
       #"TypeId": "string",
@@ -93,14 +101,16 @@ aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certi
   --validity Value=820,Type=DAYS 
 ```
 
-output should be something like:
+Output should be something like:
+
 ```
 {
     "CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886"
 }
 ```
 
-1. Get the certificate that was issued. Be sure to update the certificate-arn to what you got. 
+### Get the certificate that was issued. Be sure to update the certificate-arn to what you got.
+
 ```
 aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
     --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
@@ -108,21 +118,22 @@ aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certifi
     --output text > tmp.crt
 ```
 
-1. Fix the file
+### Fix the file
 
 Must be a bug. Right now, tmp.crt has a tab in place of a newline.
+
 ```
 vim tmp.crt
 # find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines
 ```
 
-1. Import the cert to the key
+### Import the cert to the key
 
 ```
 yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt
 ```
 
-1. Import the root and intermediate CAs
+### Import the root and intermediate CAs
 
 ```
 # cd to instrastructure-notes location
@@ -130,7 +141,7 @@ ykman piv certificates import 82 infrastructure-notes/files/xdr_subordinate_ca.i
 ykman piv certificates import 83 infrastructure-notes/files/xdr_root_ca.crt
 ```
 
-1. Add Certificates to Keychain Access
+### Add Certificates to Keychain Access
 
 Open Keychain Access on Mac.
 Category > All Items
@@ -141,7 +152,7 @@ drag and drop xdr_root_ca.crt and xdr_subordinate_ca.indentity.crt to the keycha
 
 Set trust on the root_ca to always trust. Double click on the certificate and click on Trust. Then change dropdown to "Always Trust". You should be prompted for your Computer password. 
 
-1. Remove and reinsert the Yubikey
+### Remove and reinsert the Yubikey
 
 May be necessary for chrome/web browsers to see the new certificate
 
@@ -151,7 +162,8 @@ Have an keycloak administrator add your user at https://auth.xdr.accenturefedera
 
 ## Other useful commands
 
-Check Status:
+### Check Status:
+
 ```
 $ yubico-piv-tool --slot 9a --action status
 Version:	4.4.5
@@ -168,13 +180,16 @@ Slot 9a:
 PIN tries left:	3
 ```
 
-Read the certicate:
+### Read the certicate:
+
 ```
 $ yubico-piv-tool --slot 9a --action read-certificate
 -----BEGIN CERTIFICATE-----
 ...
+```
+
+### Validate:
 
-Validate:
 ```
 $ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text
 Certificate:
@@ -182,7 +197,7 @@ Certificate:
         Version: ...
 ```
 
-### Troubleshooting
+## Troubleshooting
 
 ```
 # Required for windows?
@@ -203,8 +218,8 @@ pkcs11-tool --test --login
 # enter pin
 ```
 
+To pair with your macbook login:
 
-To pair with your macboos login:
 ```
 sudo sc_auth identities
 sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85
@@ -212,13 +227,12 @@ sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85
 
 ### For Firefox
 
-1. In firefox, go to about:config, search for "security.enterprise" and set `security.enterprise_roots.enabled` to `True`
 1. `brew install opensc`
+1. In Firefox, go to about:config, search for "security.enterprise" and set `security.enterprise_roots.enabled` to `True`
 1. In Firefox, go to Settings->Preferences, then `Privacy & Security`, then find Certificates and click the button marked 'Security Devices'.
 1. Click 'Load'
 1. Enter `OpenSC PKCS#11` in the module field name.
 1. Enter `/usr/local/lib/opensc-pkcs11.so` in the Load box.
 1. Click "Okay".
 
-SHould be good to go!
-
+Should be good to go!