Skip to content

Instantly share code, notes, and snippets.

@keysie

keysie/gist:3434e12109c6ff41d78e0e61f3852c62

Last active February 15, 2025 17:32
Show Gist options
  • Save keysie/3434e12109c6ff41d78e0e61f3852c62 to your computer and use it in GitHub Desktop.
Save keysie/3434e12109c6ff41d78e0e61f3852c62 to your computer and use it in GitHub Desktop.
Download ZIP
set up ubuntu 24.04 for CSR signing with yubikey
Raw
gistfile1.md

Goal

Set up a virgin Ubuntu 24.04 to be able to create keypairs for GPG, PIV and SSH, to create paper backups of those keys, and to get keys and certificates onto a Yubikey.

Sources

Packages you need to install

sudo apt install -y openssl gpg cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man zlib1g-dev build-essential pcscd qrencode

Build and install Yubico's PKCS#11 library (libykcs11.so)

  1. download latest yubico-piv-tool here:
https://developers.yubico.com/yubico-piv-tool/Releases/
  1. (optional but recommended) check gpg signarure using the procedure listed here:
https://developers.yubico.com/Software_Projects/Software_Signing.html
  1. unpack using tar -xf filename
  2. build and install using (remove debug flag if output gets too confusing)
mkdir build; cd build
cmake .. -DYKCS11_DBG=2
make
sudo make install
  1. update shared libraries with
sudo ldconfig

Once installed, the module will be found by default in /usr/local/lib/libykcs11.so otherwise it will be built locally in yubico-piv-tool/build/ykcs11/libykcs11.so

Test interfacing with the Yubikey

  1. Insert your Yubikey
  2. Run yubico-piv-tool -a status. It should display the firmware version of your Yubikey as well as its serial number and all the PIV slot information it can find on the device.
  3. In case this doesn't work smth is wrong with either pcscd or the ykcs11 build went wrong. Could also be some issue with accessing USB devices due to UDEV-rules or some such. Do not proceed until fixed.

Get and "install" the Yubico Authenticator for a nice GUI

  1. download latest authenticator release here:
[https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz](https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz)
  1. unpack using tar -xf filename
  2. use authenticator binary directly from the folder (no need to build), or
  3. make a pseudo install to have a desktop shortcut using desktop_integration.sh

Key for SSH using PIV and PKCS#11

Note on ed25519

As of time of writing ed25519 is NOT supported enough (still!!) by most of the stuff that would make this process work. yubico-piv-tool will flat-out refuse to work with keys generated by ssh-keygen. Working around this by creating ed25519-key and cert using openssl and then converting the public key to openSSH format is also still broken (best I can gather the problem lies with LibreSSL not supporting ed25519 fully yet, but also a lot of other stuff around PIV has issues with ed25519

Therefore, use RSA?

Nope, as it seems this is also not working. ssh-keygen seems to not like the public-key format generated by openssl or yubico-piv-tool in any way, regardless of algorithm or key format. even converting the openssl public key to pkcs8 using the -topk8 argument with openssl does not lead anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment