Last active
January 27, 2025 21:28
-
-
Save keysie/ae02d64de8d924d8ef093de74d8c5d52 to your computer and use it in GitHub Desktop.
Yubikey PIV Documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Each PIV slot can store ONE key AND ONE certificate | |
| 2. Use openssl to create the keys, not ssh-keygen (otherwise the output format is wrong) | |
| 3. You can import key and cert seperately into each slot (yubico-authenticator, yubico-piv-tool or some such) | |
| 4. Again: Only one key per slot. Importing a key to a slot will overwrite the key that was in that slot before. Same for certs. | |
| Using openssl 3.0.13 and yubico-piv-tool 2.7.0: | |
| 1. generate private key: | |
| openssl genpkey -algorithm ed25519 -out .ssh/filename | |
| 2. generate selfsigned cert (contains the public key): (store this one! can't be calculated from private key later on): | |
| openssl req -key .ssh/filename -new -x509 -days 365 -out .ssh/filename.crt | |
| 3. load key into slot 9a: | |
| yubico-piv-tool -a import-key -s 9a -k -i .ssh/filename | |
| 4. import certificate into same slot as the key: | |
| yubico-piv-tool -a import-cert -s 9a -k -i .ssh/filename | |
| 5. export public key of key in a slot (only works if there is a corresponding cert already): | |
| ykman piv keys generate 9a .ssh/filename.pub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment