Startseite Erkunden Hilfe
Registrieren Anmelden
AFS
/
infrastructure-notes
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 056aff9755
Branches Tags
infrastructure-...
/
Yubikey Notes.md

Yubikey Notes.md 7.8 KB
Verlauf Originalformat

Yubikey Notes

Duane's notes;

# generate root CA cert
openssl genrsa -out ca.key 2048
 
# Sign the root CA cert
#openssl req -config openssl-ca-cert.cnf -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=US/ST=Tennessee/L=Spring Hill/O=duckfez heavy industries/OU=launch services/CN=Duckfez Root CA G1"
 
openssl req -config openssl-ca-cert.cnf -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=Duckfez Root CA G10/OU=launch services/O=duckfez heavy industries/L=Spring Hill/ST=Tennessee/C=US"
 
cd ../intermediate
openssl genrsa -out ca.key 2048
 
openssl req   -new -key ca.key -out ca.req -subj "/CN=Duckfez Intermediate CA G2/OU=launch services/O=duckfez heavy industries/L=Spring Hill/ST=Tennessee/C=US"
 
/usr/local/Cellar/openssl\@1.1/1.1.1i/bin/openssl ca -config ./ca.cnf -out intermediate.crt -extfile intermediate.extensions  -infiles ../intermediae/ca.req
 
cp intermediate.crt ../intermediae/ca.crt
cd ../intermediae/
 
 
# Generate RSA2048 on yubikey
#yubico-piv-tool -a generate -s 9a -A RSA2048
yubico-piv-tool  -a set-chuid
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o yubikey.pub
 
# Generate basic CSR on yubikey
#yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS"
yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS" -i yubikey.pub -o yubi.req
 
# Extensions
basicConstraints=CA:FALSE
#subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash
crlDistributionPoints=URI:http://duckfez-heavy-industries.s3.amazonaws.com/ca.crl
 
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#authorityInfoAccess = @customerca_aia
#subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com, email:duane.e.waddle@accenturefederal.com
subjectAltName = email:duane.waddle
 
[ my_subject_alt_names ]
email.1 = duane.e.waddle@accenturefederal.com
email.2 = duane.e.waddle
email.3 = duane.waddle
 
# Sign CSR from yubikey using private CA
/usr/local/Cellar/openssl\@1.1/1.1.1i/bin/openssl ca -config ./ca.cnf -out yubi.crt -extfile yubi.extensions -subj "/CN=Duane Waddle/OU=Ministry of silly walks/O=AFS/C=US/L=Spring Hill/ST=Tennessee" -infiles yubi.req
 
# import signed cert into yubikey
yubico-piv-tool -s 9a -a verify -a import-certificate -i yubi.crt
 
# Look at imported cert
ykman piv export-certificate 9a - | openssl x509 -text -noout
 
# Generate CRL
cd ../root/
openssl ca -config ./ca.cnf -gencrl -out ./ca.crl
 
# Upload CRL to S3 bucket
aws s3 cp ca.crl s3://duckfez-heavy-industries/ca.crl --profile=range-terraformer
 
# Validate it is readable
curl http://duckfez-heavy-industries.s3.amazonaws.com/ca.crl | openssl crl -text
 
cd ../intermediae/
openssl ca -config ./ca.cnf -gencrl -out ./intermediate.crl
aws s3 cp intermediate.crl s3://duckfez-heavy-industries/intermediate.crl --profile=range-terraformer

Purchase:

  • Yubikey FIPS

~## Download the Yubikey manager: ~https://www.yubico.com/support/download/yubikey-manager/ ~and install. ~ ~## Configure PIV: ~ ~Start yubikey manager ~Go to applications->piv ~change PIN: ~1. Click 'use default' on origin pin ~2. Have user set pin ~ ~# TODO: ~Figure out PUK, and Management key best practices ~ ~## Certificate ~Go to applications->PIV ~Click on Configure Certificates ~Stay on 'Authentication' and click 'Generate' ~Select 'Certificate Signing Request' ~Change to 'RSA2048' ~Set the subject to email address (e.g. 'frederick.t.damstra@accenturefederal.com') ~Click 'Generate' ~Save the file someplace easy ~You'll have to use the management key and the PIN. ~ ~## Sign the CSR ~For now, using duane's: ~TODO: Make a real CA ~ ~cd ~/tmp/frederick_t_damstra/ca/intermediae ~# path may vary, and i'm not sure why we need the cellar version. Copying duane's notes here. ~cp ca.cnf ca.cnf.duanes ~vim ca.cnf ~# Change orgnaizationName, state, and country to optional ~cp yubi.extensions yubi.extensions.duane ~vim yubi.extensions ~# Remove the san stuff, because we're just going to do it the easy way ~/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ~/Downloads/ftd.crt -extfile yubi.extensions -infiles ~/Downloads/ftd.csr ~cat chain.pem ~/Downloads/ftd.crt > ~/Downloads/ftd.chain.crt ~ ~ ~Back to yubi manager, import the ftd.chain.crt file ~get an error, and abort.

Take 2: yubikey-piv-tool

download yubikey-piv-tool from https://developers.yubico.com/yubico-piv-tool/Releases/

generate a CSR:

yubico-piv-tool --pin=123456 --action=change-pin
yubico-piv-tool -a set-chuid
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o ftd.pub
yubico-piv-tool -s 9a -a verify -a request -S "/CN=frederick.t.damstra@accenturefederal.com/OU=AFS XDR/O=AFS/" -i ftd.pub -o ftd.csr

Sign it:

cd ~/tmp/frederick_t_damstra/ca/intermediae
# path may vary, and i'm not sure why we need the cellar version. Copying duane's notes here.
cp ca.cnf ca.cnf.duanes
vim ca.cnf
# Change orgnaizationName, state, and country to optional
cp yubi.extensions yubi.extensions.duane
vim yubi.extensions
# Remove the san stuff, because we're just going to do it the easy way
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ~/Downloads/ftd.crt    -extfile yubi.extensions     -infiles ftd.csr
cat chain.pem ~/Downloads/ftd.crt > ~/Downloads/ftd.chain.crt
yubico-piv-tool -s 9a -a verify -a import-certificate -i ~/Downloads/ftd.chain.crt

yubico-piv-tool -s 9a -a verify -a import-certificate -i ftd.

Freds New Attempt at a local cert, no yubikey

# generate a csr with a new key
cd ~/tmp/frederick_t_damstra/ca
openssl req -nodes -newkey rsa:2048 -keyout ftd-20210603.key -out ftd-20210603.csr
# Sign it
cd intermediae
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../ftd-20210603.crt -extfile yubi.extensions -infiles ../ftd-20210603.csr
# Convert to something OSX can import
cd ..
openssl pkcs12 -export -clcerts -inkey ftd-20210603.key -in ftd-20210603.crt -out ftd-20210603.p12
# You *do* need a password

Then open keystore, go to "My Certificates", select 'Import items', and import ftd-20210603.p12. Then, doubleclick on the certificate, expand 'trust', and select 'always trust'.

This works! Wrong trust store in keycloak

Back to yubikey

This might be useful, but not for now

# This opens additional slots on the yubikey, which we need for the intermediate
# see https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888
echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -

yubico-piv-tool -a set-chuid
# Generate pin and public key
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o ftd-20210603-yubi.pub
# enter pin
 
# Generate basic CSR on yubikey
#yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS"
yubico-piv-tool -s 9a -a verify -a request -S "/CN=frederick.t.damstra@accenturefederal.com/" -i ftd-20210603-yubi.pub -o ftd-20210603-yubi.csr

# Sign it
cd intermediae
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../ftd-20210603-yubi.crt -extfile yubi.extensions -infiles ../ftd-20210603-yubi.csr

# verify it
cd ..
openssl x509 -in ftd-20210603-yubi.crt -noout -text

# Import it
yubico-piv-tool -s 9a -a verify -a import-certificate -i ftd-20210603-yubi.crt

########

Yubikye that worked

yubico-piv-tool --action=generate -s 9a -o yubi3.pub yubico-piv-tool --action=verify --action=request --subject="/CN=frederick.t.damstra@accenturefederal.com/" -s 9a -i yubi3.pub -o yubu3.csr cd intermediae /usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../yubi3.crt -extfile yubi.extensions -infiles ../yubu3.csr cd .. yubico-piv-tool -s 9a -a verify -a import-certificate -i yubi3.crt