infrastructure-notes/Yubikey Notes.md

Yubikey Notes

Yubikey setup with AWS CA

Notably, this does not include any of the Yubikey lockdown work to secure them.

1. Reset the Yubikey PIV (optional)

   yubico-piv-tool -a reset
   

If you get Reset failed, are pincodes blocked?, reset via the YubiKey Manager

1. Make the PIV generate some things

   # Required for windows?
   yubico-piv-tool -a set-chuid
   # Required for mac
   yubico-piv-tool -a set-ccc
   

2. Change the PIN:

   yubico-piv-tool -achange-pin -P123456
   Enter new pin:
   Verifying - Enter new pin:
   Successfully changed the pin code.
   
   

3. Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed.

   yubico-piv-tool --action=generate -s 9a -o tmp.pub
   

4. Generate a CSR

   yubico-piv-tool --action=verify --action=request --subject="/CN=frederick.t.damstra@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr
   

5. Sign the CSR

• For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov)
• Validity is currently 2 years + 90 day grace period = 820 days

For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html

cat <<EOF > tmp.policy
{
  "Extensions": {
    "ExtendedKeyUsage": [
      { "ExtendedKeyUsageType": "CLIENT_AUTH" },
      { "ExtendedKeyUsageType": "SMART_CARD_LOGIN" }
    ],
    "SubjectAlternativeNames": [
      { "Rfc822Name": "frederick.t.damstra@accenturefederal.com" },
      { "Rfc822Name": "frederick.t.damstra@accenturefederalcyber.com" }
    ]
  }
}
EOF

Maybe:

    "OtherName": {
      #"TypeId": "string",
      "Value": "1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com"
    },

aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
  --api-passthrough file://./tmp.policy \
  --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
  --csr file://./tmp.csr \
  --signing-algorithm SHA512WITHECDSA \
  --template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \
  --validity Value=820,Type=DAYS 

output should be something like:

{
    "CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886"
}

MAY NEED TO BASE64 ENCODE THE CSR. Duane's machine required it, but Fred's did not. To reencode as base64:

openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64

1. Get the certificate that was issued

   aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
   --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
   --certificate-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886 \
   --output text > tmp.crt
   

2. Fix the file

Must be a bug. Right now, tmp.crt has a tab in place of a newline.

vim tmp.crt
# find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines

1. Import the cert to the key

   yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt
   

2. Import the root and intermediate CAs

   ykman piv certificates import 82 ~/infrastructure-notes/files/xdr_subordinate_ca.identity.crt
   ykman piv certificates import 83 ~/infrastructure-notes/files/xdr_root_ca.crt
   

3. Remove and reinsert the Yubikey

May be necessary for chrome/web browsers to see the new certificate

Other useful commands

Check Status:

$ yubico-piv-tool --slot 9a --action status
Version:	4.4.5
Serial Number:	12692795
CHUID:	No data available
CCC:	No data available
Slot 9a:
	Algorithm:	RSA2048
	Subject DN:	CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS
	Issuer DN:	C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1
	Fingerprint:	ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337
	Not Before:	Jul  7 12:50:21 2021 GMT
	Not After:	Oct  5 13:50:21 2023 GMT
PIN tries left:	3

Read the certicate:

$ yubico-piv-tool --slot 9a --action read-certificate
-----BEGIN CERTIFICATE-----
...

Validate:

$ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text Certificate:

Data:
    Version: ...

### Troubleshooting

Required for windows?

yubico-piv-tool -a set-chuid

Required for mac

yubico-piv-tool -a set-ccc

yubico-piv-tool -a change-puk -P 12345678

Enter new code

Start the yubikey manager app and change the management code:

Basically, generate and protect with pin

Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b

brew install pkcs11-helper brew install opensc pkcs11-tool --test --login

enter pin

To pair with your macboos login:

sudo sc_auth identities sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85 ```