Although we can secure the private key and with a password, it is still not very secure as anybody who get access to our PC can steal them. We can extend the security by encrypting the filesystem (eg.
dm-crypt) and allow to decrypt it only when we login.
Yubikey NEO provide a platform-independent API to cryptographic tokens via PKCS#11 standard. That makes the Yubikey to work like a smart card. Access to the PIV interface is secured by a PIN - only person who knows the password can use the Yubikey to authenticate.
Load the user's certificate on the Yubikey:
import the user's certificate (
user_cert.pfx) into the Authenticate slot (9a).
First we block the PIN and PUK to be able to reset the PIV application (both must be blocked before we can reset the application). Bear in mind that this action will destroy all keys stored in PIV application:
$ for N in $(seq 3); do yubico-piv-tool -a verify-pin -P wrongpin; yubico-piv-tool -a change-puk -P wrongpuk -N wrongpuk; done $ yubico-piv-tool -a reset
generate new Management KEY:
$ dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"' | gpg -c -a -o MgmtKey.gpg $ KEY=$(gpg -d MgmtKey.gpg 2>/dev/null) $ yubico-piv-tool -a set-mgm-key -n $KEY
MgmtKey.gpg file secure for later use. Then we set PIN (4-8 chars) and PUK (4-8 chars):
$ read -s -p "Type your new PIN: " PIN $ read -s -p "Type your new PUK: " PUK $ yubico-piv-tool -a change-pin -P 123456 -N $PIN $ yubico-piv-tool -a change-puk -P 12345678 -N $PUK
Upload the user's certificate onto the Yubikey:
$ read -s -p "Type the user's certificate password: " PASS $ yubico-piv-tool -s 9a -a import-key -a import-cert -a set-chuid -i user_cert.pfx -K PKCS12 -p $PASS -k $KEY
Verify that the user's certificate is installed:
$ yubico-piv-tool -a status
Clean the KEY, PIN, PUK and PASS from the environment (or simply exit the shell):
$ unset KEY PIN PUK PASS
The following commands are showing other potentially useful tasks. If we by accident block the PIN (3 unsuccessful attempts), we can unblock it with the PUK:
$ yubico-piv-tool -a unblock-pin -N $PIN --pin $PUK
If the PUK is blocked (3 unsuccessful attempts), the PIV applet will be blocked and we need to reset it (see above).
We can change the number of attempts for PIN/PUK:
$ yubico-piv-tool -a pin-retries --pin-retries=10 --puk-retries=5 -k $KEY
We can change the PIN/PUK:
$ yubico-piv-tool -a change-pin -P $PIN -N $NEW_PIN $ yubico-piv-tool -a change-puk -P $PUK -N $NEW_PUK
We can extract the public certificate (not the private key) from the Yubikey:
$ yubico-piv-tool -a read-certificate -s 9a > ClientCert.pem