Tuesday, June 25, 2019

EJBCA ♥ YubiKey

With the keygen tag in its final death throes, time has come to move on to new and better ways of managing keys on tokens. We here at PrimeKey are big fans of our friends at Yubico, so here is a neat little guide of how to get up and running with using your YubiKey with EJBCA.

Disclaimer: This blog post is in no way sponsored nor endorsed by Yubico, though they were quite kind and provided us with a couple of tokens to play around with. We just honestly like them. 


To get going, you're going to need to have the following installed on your workstation:

Creating a key pair on your YubiKey

1. Start up the YubiKey Manager
2. Under Applications, pick PIV and then Configure Certificates

3. Under the Authentication tab, click Generate to create a new key pair on the token. This will take you through a guide of creating a key pair by picking an algorithm, key size and setting the Common Name for your token. 
4. Make sure that you specify that you was a Certificate Signing Request (CSR)
5. This will result in a CSR that you can use to enroll the key pair to EJBCA. 

Enrolling the YubiKey to EJBCA

Enrolling the newly created key pair is done just like with any other enrollment.

1. Go to the EJBCA RA UI
2. Click on Enroll, choose the appropriate certificate type and sub-type and choose Generated by User, which will prompt you to upload your CSR from the previous step.
3. Fill in any other pertinent information, then choose Download PEM

Importing the Certificate to the YubiKey 

1. Open the YubiKey Manager, and again choose Applications, pick PIV and then Configure Certificates
2. Click Import and pick the new newly generated certificate.
3. Congratulations - your YubiKey is now up and running, but we still need to configure the browser to play along. 

Configuring FireFox to use YubiKey

1. Open Firefox and enter about:preferences in the address bar
2. Under Privacy and Security click on Security Devices 
3. Click on Load to install OpenSC's PKCS#11 Driver
4. Name the module and then locate the opensc-pkcs11.so (or similar) library
5. The YubiKey will now be shown as a security module

Configuring Access Rights in EJBCA 

This is done using Roles as with any user EJBCA administrator, but here are the exact steps:

1. In the EJBCA CA UI, pick Roles and either create a new Role or add the new administrator to an existing Role
2. To add the administrator, click on Members, pick the appropriate CA and enter the identifying the information for the certificate, preferably the serial number
3. An easy way to find the serial number is to view the certificate in OpenSSL using the command:
$ openssl x509 -in alanwidget.pem -text -noout
The serial number can be copied, converted from hex to decimal using a converter and then used in EJBCA.

4. Finally, click on Access Rules and set the required rules for your administrator
5. The next time you start a new session, your YubiKey will be offered as an option

No comments: