Disclaimer: This blog post is in no way sponsored nor endorsed by Yubico, though they were quite kind and provided us with a couple of tokens to play around with. We just honestly like them.
Prerequisites
To get going, you're going to need to have the following installed on your workstation:- The OpenSC PKCS#11 implementation
- The YubiKey PIV Manager, Command Line Tool or UI
- A compatible browser, FireFox or Chrome Recommended.
Creating a key pair on your YubiKey
2. Under Applications, pick PIV and then Configure Certificates
3. Under the Authentication tab, click Generate to create a new key pair on the token. This will take you through a guide of creating a key pair by picking an algorithm, key size and setting the Common Name for your token.
4. Make sure that you specify that you was a Certificate Signing Request (CSR)
5. This will result in a CSR that you can use to enroll the key pair to EJBCA.
Enrolling the YubiKey to EJBCA
Enrolling the newly created key pair is done just like with any other enrollment.
1. Go to the EJBCA RA UI
2. Click on Enroll, choose the appropriate certificate type and sub-type and choose Generated by User, which will prompt you to upload your CSR from the previous step.
3. Fill in any other pertinent information, then choose Download PEM
Importing the Certificate to the YubiKey
1. Open the YubiKey Manager, and again choose Applications, pick PIV and then Configure Certificates
2. Click Import and pick the new newly generated certificate.
3. Congratulations - your YubiKey is now up and running, but we still need to configure the browser to play along.
Configuring FireFox to use YubiKey
1. Open Firefox and enter about:preferences in the address bar
2. Under Privacy and Security click on Security Devices
3. Click on Load to install OpenSC's PKCS#11 Driver
4. Name the module and then locate the opensc-pkcs11.so (or similar) library
5. The YubiKey will now be shown as a security module
Configuring Access Rights in EJBCA
This is done using Roles as with any user EJBCA administrator, but here are the exact steps:
1. In the EJBCA CA UI, pick Roles and either create a new Role or add the new administrator to an existing Role
2. To add the administrator, click on Members, pick the appropriate CA and enter the identifying the information for the certificate, preferably the serial number
3. An easy way to find the serial number is to view the certificate in OpenSSL using the command:
4. Finally, click on Access Rules and set the required rules for your administrator
5. The next time you start a new session, your YubiKey will be offered as an option
1. In the EJBCA CA UI, pick Roles and either create a new Role or add the new administrator to an existing Role
$ openssl x509 -in alanwidget.pem -text -nooutThe serial number can be copied, converted from hex to decimal using a converter and then used in EJBCA.
4. Finally, click on Access Rules and set the required rules for your administrator
5. The next time you start a new session, your YubiKey will be offered as an option
Posts
No comments:
Post a Comment