# Yubikey Notes ## Yubikey setup with AWS CA Notably, this does not include any of the Yubikey lockdown work to secure them. 1. Reset the Yubikey PIV (optional) ``` yubico-piv-tool -a reset ``` If you get `Reset failed, are pincodes blocked?`, reset via the YubiKey Manager 1. Make the PIV generate some things ``` # Required for windows? yubico-piv-tool -a set-chuid # Required for mac yubico-piv-tool -a set-ccc ``` 1. Change the PIN: ``` yubico-piv-tool -achange-pin -P123456 Enter new pin: Verifying - Enter new pin: Successfully changed the pin code. ``` 1. Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed. ``` yubico-piv-tool --action=generate -s 9a -o tmp.pub ``` 1. Generate a CSR ``` yubico-piv-tool --action=verify --action=request --subject="/CN=frederick.t.damstra@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr ``` 1. Sign the CSR * For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov) * Validity is currently 2 years + 90 day grace period = 820 days For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html ``` cat < tmp.policy { "Extensions": { "ExtendedKeyUsage": [ { "ExtendedKeyUsageType": "CLIENT_AUTH" }, { "ExtendedKeyUsageType": "SMART_CARD_LOGIN" } ], "SubjectAlternativeNames": [ { "Rfc822Name": "frederick.t.damstra@accenturefederal.com" }, { "Rfc822Name": "frederick.t.damstra@accenturefederalcyber.com" } ] } } EOF ``` Maybe: ``` "OtherName": { #"TypeId": "string", "Value": "1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com" }, ``` ``` aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \ --api-passthrough file://./tmp.policy \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \ --csr file://./tmp.csr \ --signing-algorithm SHA512WITHECDSA \ --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \ --validity Value=820,Type=DAYS ``` output should be something like: ``` { "CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886" } ``` MAY NEED TO BASE64 ENCODE THE CSR. Duane's machine required it, but Fred's did not. To reencode as base64: ``` openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64 ``` 1. Get the certificate that was issued ``` aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \ --certificate-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886 \ --output text > tmp.crt ``` 1. Fix the file Must be a bug. Right now, tmp.crt has a tab in place of a newline. ``` vim tmp.crt # find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines ``` 1. Import the cert to the key ``` yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt ``` 1. Import the root and intermediate CAs ``` ykman piv certificates import 82 ~/infrastructure-notes/files/xdr_subordinate_ca.identity.crt ykman piv certificates import 83 ~/infrastructure-notes/files/xdr_root_ca.crt ``` 1. Remove and reinsert the Yubikey May be necessary for chrome/web browsers to see the new certificate ## Other useful commands Check Status: ``` $ yubico-piv-tool --slot 9a --action status Version: 4.4.5 Serial Number: 12692795 CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS Issuer DN: C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1 Fingerprint: ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337 Not Before: Jul 7 12:50:21 2021 GMT Not After: Oct 5 13:50:21 2023 GMT PIN tries left: 3 ``` Read the certicate: ``` $ yubico-piv-tool --slot 9a --action read-certificate -----BEGIN CERTIFICATE----- ... Validate: ``` $ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text Certificate: Data: Version: ... ``` ### Troubleshooting ``` # Required for windows? yubico-piv-tool -a set-chuid # Required for mac yubico-piv-tool -a set-ccc yubico-piv-tool -a change-puk -P 12345678 # Enter new code # Start the yubikey manager app and change the management code: # Basically, generate and protect with pin Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b brew install pkcs11-helper brew install opensc pkcs11-tool --test --login # enter pin ``` To pair with your macboos login: ``` sudo sc_auth identities sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85 ```