Yubikey Notes.md 6.3 KB
Yubikey Notes
Install needed software
brew install yubico-piv-tool
brew install ykman
When plugging in the yubikey, you can close the keyboard setup assistant.
Yubikey setup with AWS CA
Notably, this does not include any of the Yubikey lockdown work to secure them.
Reset the Yubikey PIV (optional)
yubico-piv-tool -a reset
If you get Reset failed, are pincodes blocked?, reset via the YubiKey Manager
Make the PIV generate some things
yubico-piv-tool -a set-chuid
yubico-piv-tool -a set-ccc
Change the PIN:
yubico-piv-tool -achange-pin -P123456
Enter new pin:
Verifying - Enter new pin:
Successfully changed the pin code.
Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed.
yubico-piv-tool --action=generate -s 9a -o tmp.pub
Generate a CSR
yubico-piv-tool --action=verify --action=request --subject="/CN=brad.poulton@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr
Reencode the CSR
To reencode as base64:
openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64
Sign the CSR
- For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov)
- Validity is currently 2 years + 90 day grace period = 820 days
For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html
cat <<EOF > tmp.policy
{
"Extensions": {
"ExtendedKeyUsage": [
{ "ExtendedKeyUsageType": "CLIENT_AUTH" },
{ "ExtendedKeyUsageType": "SMART_CARD_LOGIN" }
],
"SubjectAlternativeNames": [
{ "Rfc822Name": "brad.poulton@accenturefederal.com" },
{ "Rfc822Name": "brad.poulton@accenturefederalcyber.com" }
]
}
}
EOF
Maybe:
"OtherName": {
#"TypeId": "string",
"Value": "1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com"
},
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
--api-passthrough file://./tmp.policy \
--certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
--csr file://./tmp.csr.b64 \
--signing-algorithm SHA512WITHECDSA \
--template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \
--validity Value=820,Type=DAYS
Output should be something like:
{
"CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886"
}
Get the certificate that was issued. Be sure to update the certificate-arn to what you got.
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
--certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
--certificate-arn <insert-certificate-arn-here> \
--output text > tmp.crt
Fix the file
Must be a bug. Right now, tmp.crt has a tab in place of a newline.
vim tmp.crt
# find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines
Import the cert to the key
yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt
Import the root and intermediate CAs
# cd to instrastructure-notes location
ykman piv certificates import 82 infrastructure-notes/files/xdr_subordinate_ca.identity.crt
ykman piv certificates import 83 infrastructure-notes/files/xdr_root_ca.crt
Add Certificates to Keychain Access
Open Keychain Access on Mac. Category > All Items
Open finder window to infrastructure-notes/files
drag and drop xdr_root_ca.crt and xdr_subordinate_ca.indentity.crt to the keychain access all items window.
Set trust on the root_ca to always trust. Double click on the certificate and click on Trust. Then change dropdown to "Always Trust". You should be prompted for your Computer password.
Remove and reinsert the Yubikey
May be necessary for chrome/web browsers to see the new certificate
Ensure new user has been create in Keycloak
Have an keycloak administrator add your user at https://auth.xdr.accenturefederalcyber.com/auth/admin.
Other useful commands
Check Status:
$ yubico-piv-tool --slot 9a --action status
Version: 4.4.5
Serial Number: 12692795
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS
Issuer DN: C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1
Fingerprint: ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337
Not Before: Jul 7 12:50:21 2021 GMT
Not After: Oct 5 13:50:21 2023 GMT
PIN tries left: 3
Read the certicate:
$ yubico-piv-tool --slot 9a --action read-certificate
-----BEGIN CERTIFICATE-----
...
Validate:
$ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text
Certificate:
Data:
Version: ...
Troubleshooting
# Required for windows?
yubico-piv-tool -a set-chuid
# Required for mac
yubico-piv-tool -a set-ccc
yubico-piv-tool -a change-puk -P 12345678
# Enter new code
# Start the yubikey manager app and change the management code:
# Basically, generate and protect with pin
Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b
brew install pkcs11-helper
brew install opensc
pkcs11-tool --test --login
# enter pin
To pair with your macbook login:
sudo sc_auth identities
sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85
For Firefox
brew install opensc- In Firefox, go to about:config, search for "security.enterprise" and set
security.enterprise_roots.enabledtoTrue - In Firefox, go to Settings->Preferences, then
Privacy & Security, then find Certificates and click the button marked 'Security Devices'. - Click 'Load'
- Enter
OpenSC PKCS#11in the module field name. - Enter
/usr/local/lib/opensc-pkcs11.soin the Load box. - Click "Okay".
Should be good to go!