Generate keys on YubiKey 5 #
Prerequisites #
Install ykman
.
sudo apt install yubikey-manager
Install pkcs11-tool
, Yubico’s PKCS#11 module, and openssl
to run commands in
the debrief section (optional).
sudo apt install ykcs11 opensc openssl
Reset the piv application (or adapt the guide as you see fit).
ykman piv reset
Set non-default credentials #
ykman piv access change-pin --pin 123456
ykman piv access change-puk --puk 12345678
ykman piv access change-management-key --protect
Provide the new PIN/PUK when prompted, click enter on management key.
Generate keys #
ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 82 PK.tmp
ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 83 KEK.tmp
ykman piv keys generate -a RSA4096 -F PEM --pin-policy always --touch-policy always 84 db.tmp
Use RSA2048 if your YubiKey 5 firmware is not recent enough.
Create certificates #
ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=PK" -d 3650 82 PK.tmp
ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=KEK" -d 3650 83 KEK.tmp
ykman piv certificates generate -a SHA256 -s "O=System Transparency,CN=db" -d 3650 84 db.tmp
Export certificates #
ykman piv certificates export -F PEM 82 PK.crt
ykman piv certificates export -F PEM 83 KEK.crt
ykman piv certificates export -F PEM 84 db.crt
Debrief #
You changed the default PIN and PUK on the PIV application, then you created a new management key such that PIN is required to use it for administrative tasks. Examples of administrative tasks include key generation.
You generated
PK in slot 82
,
KEK in slot 83
, and
db in
slot 84
. There are plenty of other available
key slots you could have
picked. These key slots correspond to PKCS#11 object IDs 05
, 06
, and 07
,
see pkcs11-tool
output.
ykman piv info
pkcs11-tool -O --module /usr/lib/x86_64-linux-gnu/libykcs11.so
You should see that the corresponding certificate files PK.crt
, KEK.crt
and
db.crt
were created with a validity window of 10 years. The exported
certificate files are in PEM format.
openssl x509 -in PK.crt -text -noout
openssl x509 -in KEK.crt -text -noout
openssl x509 -in db.crt -text -noout