Yubikey Notes-old and full of junk.md 13 KB
Yubikey Notes
Duane's notes;
# generate root CA cert
openssl genrsa -out ca.key 2048
# Sign the root CA cert
#openssl req -config openssl-ca-cert.cnf -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=US/ST=Tennessee/L=Spring Hill/O=duckfez heavy industries/OU=launch services/CN=Duckfez Root CA G1"
openssl req -config openssl-ca-cert.cnf -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=Duckfez Root CA G10/OU=launch services/O=duckfez heavy industries/L=Spring Hill/ST=Tennessee/C=US"
cd ../intermediate
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.req -subj "/CN=Duckfez Intermediate CA G2/OU=launch services/O=duckfez heavy industries/L=Spring Hill/ST=Tennessee/C=US"
/usr/local/Cellar/openssl\@1.1/1.1.1i/bin/openssl ca -config ./ca.cnf -out intermediate.crt -extfile intermediate.extensions -infiles ../intermediae/ca.req
cp intermediate.crt ../intermediae/ca.crt
cd ../intermediae/
# Generate RSA2048 on yubikey
#yubico-piv-tool -a generate -s 9a -A RSA2048
yubico-piv-tool -a set-chuid
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o yubikey.pub
# Generate basic CSR on yubikey
#yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS"
yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS" -i yubikey.pub -o yubi.req
# Extensions
basicConstraints=CA:FALSE
#subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash
crlDistributionPoints=URI:http://duckfez-heavy-industries.s3.amazonaws.com/ca.crl
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection, msSmartcardLogin
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#authorityInfoAccess = @customerca_aia
#subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:duane.e.waddle@accenturefederal.com, email:duane.e.waddle@accenturefederal.com
subjectAltName = email:duane.waddle
[ my_subject_alt_names ]
email.1 = duane.e.waddle@accenturefederal.com
email.2 = duane.e.waddle
email.3 = duane.waddle
# Sign CSR from yubikey using private CA
/usr/local/Cellar/openssl\@1.1/1.1.1i/bin/openssl ca -config ./ca.cnf -out yubi.crt -extfile yubi.extensions -subj "/CN=Duane Waddle/OU=Ministry of silly walks/O=AFS/C=US/L=Spring Hill/ST=Tennessee" -infiles yubi.req
# import signed cert into yubikey
yubico-piv-tool -s 9a -a verify -a import-certificate -i yubi.crt
# Look at imported cert
ykman piv export-certificate 9a - | openssl x509 -text -noout
# Generate CRL
cd ../root/
openssl ca -config ./ca.cnf -gencrl -out ./ca.crl
# Upload CRL to S3 bucket
aws s3 cp ca.crl s3://duckfez-heavy-industries/ca.crl --profile=range-terraformer
# Validate it is readable
curl http://duckfez-heavy-industries.s3.amazonaws.com/ca.crl | openssl crl -text
cd ../intermediae/
openssl ca -config ./ca.cnf -gencrl -out ./intermediate.crl
aws s3 cp intermediate.crl s3://duckfez-heavy-industries/intermediate.crl --profile=range-terraformer
Purchase:
- Yubikey FIPS
~## Download the Yubikey manager:
~https://www.yubico.com/support/download/yubikey-manager/
~and install.
~
~## Configure PIV:
~
~Start yubikey manager
~Go to applications->piv
~change PIN:
~1. Click 'use default' on origin pin
~2. Have user set pin
~
~# TODO:
~Figure out PUK, and Management key best practices
~
~## Certificate
~Go to applications->PIV
~Click on Configure Certificates
~Stay on 'Authentication' and click 'Generate'
~Select 'Certificate Signing Request'
~Change to 'RSA2048'
~Set the subject to email address (e.g. 'frederick.t.damstra@accenturefederal.com')
~Click 'Generate'
~Save the file someplace easy
~You'll have to use the management key and the PIN.
~
~## Sign the CSR
~For now, using duane's:
~TODO: Make a real CA
~
~cd ~/tmp/frederick_t_damstra/ca/intermediae
~# path may vary, and i'm not sure why we need the cellar version. Copying duane's notes here.
~cp ca.cnf ca.cnf.duanes
~vim ca.cnf
~# Change orgnaizationName, state, and country to optional
~cp yubi.extensions yubi.extensions.duane
~vim yubi.extensions
~# Remove the san stuff, because we're just going to do it the easy way
~/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ~/Downloads/ftd.crt -extfile yubi.extensions -infiles ~/Downloads/ftd.csr
~cat chain.pem ~/Downloads/ftd.crt > ~/Downloads/ftd.chain.crt
~
~
~Back to yubi manager, import the ftd.chain.crt file
~get an error, and abort.
Take 2: yubikey-piv-tool
download yubikey-piv-tool from https://developers.yubico.com/yubico-piv-tool/Releases/
generate a CSR:
yubico-piv-tool --pin=123456 --action=change-pin
yubico-piv-tool -a set-chuid
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o ftd.pub
yubico-piv-tool -s 9a -a verify -a request -S "/CN=frederick.t.damstra@accenturefederal.com/OU=AFS XDR/O=AFS/" -i ftd.pub -o ftd.csr
Sign it:
cd ~/tmp/frederick_t_damstra/ca/intermediae
# path may vary, and i'm not sure why we need the cellar version. Copying duane's notes here.
cp ca.cnf ca.cnf.duanes
vim ca.cnf
# Change orgnaizationName, state, and country to optional
cp yubi.extensions yubi.extensions.duane
vim yubi.extensions
# Remove the san stuff, because we're just going to do it the easy way
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ~/Downloads/ftd.crt -extfile yubi.extensions -infiles ftd.csr
cat chain.pem ~/Downloads/ftd.crt > ~/Downloads/ftd.chain.crt
yubico-piv-tool -s 9a -a verify -a import-certificate -i ~/Downloads/ftd.chain.crt
yubico-piv-tool -s 9a -a verify -a import-certificate -i ftd.
Freds New Attempt at a local cert, no yubikey
# generate a csr with a new key
cd ~/tmp/frederick_t_damstra/ca
openssl req -nodes -newkey rsa:2048 -keyout ftd-20210603.key -out ftd-20210603.csr
# Sign it
cd intermediae
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../ftd-20210603.crt -extfile yubi.extensions -infiles ../ftd-20210603.csr
# Convert to something OSX can import
cd ..
openssl pkcs12 -export -clcerts -inkey ftd-20210603.key -in ftd-20210603.crt -out ftd-20210603.p12
# You *do* need a password
Then open keystore, go to "My Certificates", select 'Import items', and import ftd-20210603.p12. Then, doubleclick on the certificate, expand 'trust', and select 'always trust'.
This works! Wrong trust store in keycloak
Back to yubikey
This might be useful, but not for now
# This opens additional slots on the yubikey, which we need for the intermediate
# see https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888
echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -
yubico-piv-tool -a set-chuid
# Generate pin and public key
yubico-piv-tool -a verify -a set-chuid -a generate -s 9a -A RSA2048 -o ftd-20210603-yubi.pub
# enter pin
# Generate basic CSR on yubikey
#yubico-piv-tool -s 9a -a verify -a request -S "/CN=Duane Waddle/OU=XDR People/O=AFS"
yubico-piv-tool -s 9a -a verify -a request -S "/CN=frederick.t.damstra@accenturefederal.com/" -i ftd-20210603-yubi.pub -o ftd-20210603-yubi.csr
# Sign it
cd intermediae
/usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../ftd-20210603-yubi.crt -extfile yubi.extensions -infiles ../ftd-20210603-yubi.csr
# verify it
cd ..
openssl x509 -in ftd-20210603-yubi.crt -noout -text
# Import it
yubico-piv-tool -s 9a -a verify -a import-certificate -i ftd-20210603-yubi.crt
########
Yubikye that worked
yubico-piv-tool --action=generate -s 9a -o yubi3.pub yubico-piv-tool --action=verify --action=request --subject="/CN=frederick.t.damstra@accenturefederal.com/" -s 9a -i yubi3.pub -o yubu3.csr cd intermediae /usr/local/Cellar/openssl\@1.1/1.1.1k/bin/openssl ca -config ./ca.cnf -out ../yubi3.crt -extfile yubi.extensions -infiles ../yubu3.csr cd .. yubico-piv-tool -s 9a -a verify -a import-certificate -i yubi3.crt
2021-07-06 - Generating a "realistic" prototype CSR
Analysis of my old PIV card
9a - PIV Authentication 9c - Digital Siganture 9d - Key Management 9e - Card Authentication
9a PIV Authentication: Country: US Organization: U.S. Govern
##
Reset the PIV
yubico-piv-tool -a reset
If you get Reset failed, are pincodes blocked?, reset via the YubiKey Manager
Change the PIN:
yubico-piv-tool -achange-pin -P123456 Enter new pin: Verifying - Enter new pin: Successfully changed the pin code.Generate a new private/public key pair. There is no need o preserve the generated pub key after these steps are completed.
yubico-piv-tool --action=generate -s 9a -o tmp.pubGenerate a CSR
yubico-piv-tool --action=verify --action=request --subject="/CN=frederick.t.damstra@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=AFS/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csrSign the CSR
TODO Figure out the best template?
- More at https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov)
- Validity is currently 2 years + 90 day grace period = 820 days
For the tmp.policy, See https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html
cat <<EOF > tmp.policy
{
"Extensions": {
"SubjectAlternativeNames": [
{ "Rfc822Name": "frederick.t.damstra@accenturefederal.com" },
{ "Rfc822Name": "frederick.t.damstra@accenturefederalcyber.com" }
]
}
}
EOF
Also tried this policy:
{
"Extensions": {
"ExtendedKeyUsage": [
{ "ExtendedKeyUsageType": "CLIENT_AUTH" },
{ "ExtendedKeyUsageType": "SMART_CARD_LOGIN" }
],
"KeyUsage": {
"DigitalSignature": true,
"KeyEncipherment": true,
"DataEncipherment": true,
"KeyAgreement": true,
"KeyCertSign": false,
"CRLSign": false,
"EncipherOnly": false,
"DecipherOnly": false
},
"SubjectAlternativeNames": [
{ "Rfc822Name": "frederick.t.damstra@accenturefederal.com" },
{ "Rfc822Name": "frederick.t.damstra@accenturefederalcyber.com" }
]
}
}
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
--api-passthrough file://./tmp.policy \
--certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3 \
--csr file://./tmp.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws-us-gov:acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1 \
--validity Value=820,Type=DAYS
output should be something like:
{
"CertificateArn": "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886"
}
Get the certificate that was issued
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \ --certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3 \ --certificate-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/31c0098a-2bef-4033-9a59-9b2ec0dad0b3/certificate/543c2f65792c3b79bfa78e1a81163886 \ --output text > tmp.crtFix the file
Must be a bug. Right now, tmp.crt has a tab in place of a newline.
vim tmp.crt
# find the line that says `-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----` and separate into two lines
Import the cert to the key
yubico-piv-tool -s 9a -a verify -a import-certificate -i tmp.crt
Other useful commands
Check Status:
$ yubico-piv-tool --slot 9a --action status
Version: 4.4.5
Serial Number: 12692795
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: CN=frederick.t.damstra@accenturefederal.com, C=US, ST=VA, L=Arlington, OU=XDR, O=AFS
Issuer DN: C=US, O=Accenture Federal Services, OU=XDR, CN=XDR Subordinate CA #1
Fingerprint: ba6d2cec780dd397a634e9ace59a9739417f9687bfd42c3f3edafaaf89898337
Not Before: Jul 7 12:50:21 2021 GMT
Not After: Oct 5 13:50:21 2023 GMT
PIN tries left: 3
Read the certicate:
$ yubico-piv-tool --slot 9a --action read-certificate
-----BEGIN CERTIFICATE-----
...
Validate:
$ yubico-piv-tool --slot 9a --action read-certificate | openssl x509 -noout -text Certificate:
Data:
Version: ...
### Troubleshooting
Required for windows?
yubico-piv-tool -a set-chuid
Required for mac
yubico-piv-tool -a set-ccc
yubico-piv-tool -a change-puk -P 12345678
Enter new code
Start the yubikey manager app and change the management code:
Basically, generate and protect with pin
Recorded here: 19f22f18cb3b38ab1e13627cab5b7db3e34fe3d9e1aa153b
brew install pkcs11-helper brew install opensc pkcs11-tool --test --login
enter pin
```