Yubikey Notes.md 6.2 KB
Yubikey Notes
Install needed software
brew install yubico-piv-tool
brew install ykman
When plugging in the yubikey, you can close the keyboard setup assistant.
Yubikey setup with AWS CA
Notably, this does not include any of the Yubikey lockdown work to secure them.
Reset the Yubikey PIV (optional)
yubico-piv-tool -a reset
If you get Reset failed, are pincodes blocked?, reset via the YubiKey Manager
Make the PIV generate some things
yubico-piv-tool -a set-chuid yubico-piv-tool -a set-cccChange the PIN:
yubico-piv-tool -achange-pin -P123456 Enter new pin: Verifying - Enter new pin: Successfully changed the pin code.Generate a new private/public key pair. There is no need o preserve the generated files after these steps are completed.
yubico-piv-tool --action=generate -s 9a -o tmp.pubGenerate a CSR
yubico-piv-tool --action=verify --action=request --subject="/CN=brad.poulton@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csrReencode the CSR
To reencode as base64:
openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64
- Sign the CSR
- For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov)
- Validity is currently 2 years + 90 day grace period = 820 days
For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html
cat <<EOF > tmp.policy
{
"Extensions": {
"ExtendedKeyUsage": [
{ "ExtendedKeyUsageType": "CLIENT_AUTH" },
{ "ExtendedKeyUsageType": "SMART_CARD_LOGIN" }
],
"SubjectAlternativeNames": [
{ "Rfc822Name": "brad.poulton@accenturefederal.com" },
{ "Rfc822Name": "brad.poulton@accenturefederalcyber.com" }
]
}
}
EOF
Maybe:
"OtherName": {
#"TypeId": "string",
"Value": "1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com"
},
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
--api-passthrough file://./tmp.policy \
--certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
--csr file://./tmp.csr.b64 \
--signing-algorithm SHA512WITHECDSA \
--template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \
--validity Value=820,Type=DAYS
output should be something like:
{
"CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886"
}
Get the certificate that was issued. Be sure to update the certificate-arn to what you got.
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \ --certificate-arn <insert-certificate-arn-here> \ --output text > tmp.crtFix the file
Must be a bug. Right now, tmp.crt has a tab in place of a newline.
vim tmp.crt
# find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines
Import the cert to the key
yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crtImport the root and intermediate CAs
# cd to instrastructure-notes location ykman piv certificates import 82 infrastructure-notes/files/xdr_subordinate_ca.identity.crt ykman piv certificates import 83 infrastructure-notes/files/xdr_root_ca.crtAdd Certificates to Keychain Access
Open Keychain Access on Mac. Category > All Items
Open finder window to infrastructure-notes/files
drag and drop xdr_root_ca.crt and xdr_subordinate_ca.indentity.crt to the keychain access all items window.
Set trust on the root_ca to always trust. Double click on the certificate and click on Trust. Then change dropdown to "Always Trust". You should be prompted for your Computer password.
- Remove and reinsert the Yubikey
May be necessary for chrome/web browsers to see the new certificate
Ensure new user has been create in Keycloak
Have an keycloak administrator add your user at https://auth.xdr.accenturefederalcyber.com/auth/admin.
Other useful commands
Check Status:
$ yubico-piv-tool --slot 9a --action status
Version: 4.4.5
Serial Number: 12692795
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS
Issuer DN: C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1
Fingerprint: ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337
Not Before: Jul 7 12:50:21 2021 GMT
Not After: Oct 5 13:50:21 2023 GMT
PIN tries left: 3
Read the certicate:
$ yubico-piv-tool --slot 9a --action read-certificate
-----BEGIN CERTIFICATE-----
...
Validate:
$ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text Certificate:
Data:
Version: ...
### Troubleshooting
Required for windows?
yubico-piv-tool -a set-chuid
Required for mac
yubico-piv-tool -a set-ccc
yubico-piv-tool -a change-puk -P 12345678
Enter new code
Start the yubikey manager app and change the management code:
Basically, generate and protect with pin
Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b
brew install pkcs11-helper brew install opensc pkcs11-tool --test --login
enter pin
To pair with your macboos login:
sudo sc_auth identities sudo sc_auth pair -u duane.e.waddle -h 6457632695DEB718A2D13BC1E6F038F82CB7AB85 ```
For Firefox
- In firefox, go to about:config, search for "security.enterprise" and set
security.enterprise_roots.enabledtoTrue brew install opensc- In Firefox, go to Settings->Preferences, then
Privacy & Security, then find Certificates and click the button marked 'Security Devices'. - Click 'Load'
- Enter
OpenSC PKCS#11in the module field name. - Enter
/usr/local/lib/opensc-pkcs11.soin the Load box. - Click "Okay".
SHould be good to go!