Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial Yubikey support #5

Open
wants to merge 13 commits into
base: develop
Choose a base branch
from
Open

Initial Yubikey support #5

wants to merge 13 commits into from

Conversation

tomberek
Copy link

@tomberek tomberek commented Oct 8, 2018

Provides the prompts and backend to use Yubikeys and other PKCS11 devices. The core functionality uses only the pkcs11 engine in openssl, but initializing the keys are vendor specific. That is located in ./functions and can be rewritten for non-yubikey (WIP).

The most complicated part is using a Yubikey for the root CA and creating a sub-CA on a Yubikey as well. Restrictions on the use of various slots requires the CA's to be in slot 9c and on DIFFERENT keys. This makes the creation of a sub-CA a juggling act of plugging and switching physical keys error-prone. Follow the in-terminal warnings carefully. I also added checks to confirm anything changing a Yubikey is confirmed at least twice by the user and takes a management key.

Creating client or server certs in PIV mode (slot 9a) is possible, but not recommended for servers.

@tomberek tomberek mentioned this pull request Oct 8, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tomberek