YubiKey 5

Generate keys on YubiKey 5 #

Prerequisites #

Install ykman.

sudo apt install yubikey-manager

Install pkcs11-tool, Yubico’s PKCS#11 module, and openssl to run commands in the debrief section (optional).

sudo apt install ykcs11 opensc openssl

Reset the piv application (or adapt the guide as you see fit).

ykman piv reset

Set non-default credentials #

ykman piv access change-pin --pin 123456
ykman piv access change-puk --puk 12345678
ykman piv access change-management-key --protect

Provide the new PIN/PUK when prompted, click enter on management key.

Generate keys #

ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 82 PK.tmp
ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 83 KEK.tmp
ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 84 db.tmp

Use RSA2048 if your YubiKey 5 firmware is not recent enough.

Create certificates #

ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=PK"  -d 3650 82 PK.tmp
ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=KEK" -d 3650 83 KEK.tmp
ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=db"  -d 3650 84 db.tmp

Export certificates #

ykman piv certificates export -F PEM 82 PK.crt
ykman piv certificates export -F PEM 83 KEK.crt
ykman piv certificates export -F PEM 84 db.crt

Debrief #

You changed the default PIN and PUK on the PIV application, then you created a new management key such that PIN is required to use it for administrative tasks. Examples of administrative tasks include key generation.

You generated PK in slot 82, KEK in slot 83, and db in slot 84. There are plenty of other available key slots you could have picked. These key slots correspond to PKCS#11 object IDs 05, 06, and 07, see pkcs11-tool output.

ykman piv info
pkcs11-tool -O --module /usr/lib/x86_64-linux-gnu/libykcs11.so

You should see that the corresponding certificate files PK.crt, KEK.crt and db.crt were created with a validity window of 10 years. The exported certificate files are in PEM format.

openssl x509 -in PK.crt  -text -noout
openssl x509 -in KEK.crt -text -noout
openssl x509 -in db.crt  -text -noout