# Yubikey Notes ## Install needed software ``` brew install yubico-piv-tool brew install ykman ``` When plugging in the yubikey, you can close the keyboard setup assistant. ## Yubikey setup with AWS CA Notably, this does not include any of the Yubikey lockdown work to secure them. ### Reset the Yubikey PIV (optional) ``` yubico-piv-tool -a reset ``` If you get `Reset failed, are pincodes blocked?`, reset via the YubiKey Manager ### Make the PIV generate some things ``` yubico-piv-tool -a set-chuid yubico-piv-tool -a set-ccc ``` ### Change the PIN: ``` yubico-piv-tool -achange-pin -P123456 Enter new pin: Verifying - Enter new pin: Successfully changed the pin code. ``` ### Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed. ``` yubico-piv-tool --action=generate -s 9a -o tmp.pub ``` ### Generate a CSR ``` yubico-piv-tool --action=verify --action=request --subject="/CN=brad.poulton@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr ``` ### Reencode the CSR To reencode as base64: ``` openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64 ``` ### Sign the CSR * For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov) * Validity is currently 2 years + 90 day grace period = 820 days For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html ``` cat < tmp.policy { "Extensions": { "ExtendedKeyUsage": [ { "ExtendedKeyUsageType": "CLIENT_AUTH" }, { "ExtendedKeyUsageType": "SMART_CARD_LOGIN" } ], "SubjectAlternativeNames": [ { "Rfc822Name": "brad.poulton@accenturefederal.com" }, { "Rfc822Name": "brad.poulton@accenturefederalcyber.com" } ] } } EOF ``` Maybe: ``` "OtherName": { #"TypeId": "string", "Value": "1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com" }, ``` ``` aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \ --api-passthrough file://./tmp.policy \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \ --csr file://./tmp.csr.b64 \ --signing-algorithm SHA512WITHECDSA \ --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \ --validity Value=820,Type=DAYS ``` Output should be something like: ``` { "CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886" } ``` ### Get the certificate that was issued. Be sure to update the certificate-arn to what you got. ``` aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \ --certificate-arn \ --output text > tmp.crt ``` ### Fix the file Must be a bug. Right now, tmp.crt has a tab in place of a newline. ``` vim tmp.crt # find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines ``` ### Import the cert to the key ``` yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt ``` ### Import the root and intermediate CAs ``` # cd to instrastructure-notes location ykman piv certificates import 82 infrastructure-notes/files/xdr_subordinate_ca.identity.crt ykman piv certificates import 83 infrastructure-notes/files/xdr_root_ca.crt ``` ### Add Certificates to Keychain Access Open Keychain Access on Mac. Category > All Items Open finder window to infrastructure-notes/files drag and drop xdr_root_ca.crt and xdr_subordinate_ca.indentity.crt to the keychain access all items window. Set trust on the root_ca to always trust. Double click on the certificate and click on Trust. Then change dropdown to "Always Trust". You should be prompted for your Computer password. ### Remove and reinsert the Yubikey May be necessary for chrome/web browsers to see the new certificate ## Ensure new user has been create in Keycloak Have an keycloak administrator add your user at https://auth.xdr.accenturefederalcyber.com/auth/admin. ## Other useful commands ### Check Status: ``` $ yubico-piv-tool --slot 9a --action status Version: 4.4.5 Serial Number: 12692795 CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS Issuer DN: C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1 Fingerprint: ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337 Not Before: Jul 7 12:50:21 2021 GMT Not After: Oct 5 13:50:21 2023 GMT PIN tries left: 3 ``` ### Read the certicate: ``` $ yubico-piv-tool --slot 9a --action read-certificate -----BEGIN CERTIFICATE----- ... ``` ### Validate: ``` $ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text Certificate: Data: Version: ... ``` ## Troubleshooting ``` # Required for windows? yubico-piv-tool -a set-chuid # Required for mac yubico-piv-tool -a set-ccc yubico-piv-tool -a change-puk -P 12345678 # Enter new code # Start the yubikey manager app and change the management code: # Basically, generate and protect with pin Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b brew install pkcs11-helper brew install opensc pkcs11-tool --test --login # enter pin ``` To pair with your macbook login: ``` sudo sc_auth identities sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85 ``` ### For Firefox 1. `brew install opensc` 1. In Firefox, go to about:config, search for "security.enterprise" and set `security.enterprise_roots.enabled` to `True` 1. In Firefox, go to Settings->Preferences, then `Privacy & Security`, then find Certificates and click the button marked 'Security Devices'. 1. Click 'Load' 1. Enter `OpenSC PKCS#11` in the module field name. 1. Enter `/usr/local/lib/opensc-pkcs11.so` in the Load box. 1. Click "Okay". Should be good to go!