ENV: * CARD_CLI - Card cli command or full path, default `card-cli` * SIGN_REQUEST_SLOT - Sign request slot, default `82` # Generate Keypair > Generate `secp256r1` or `secp384r1` keypair ```shell $ java -jar yubikey-ca-java.jar --generate-keypair --keypair-type secp256r1 ``` # Write Keypair to Yubikey ## Write private key to Yubikey ```shell $ ykman piv keys import --pin-policy ONCE --touch-policy CACHED $SLOT$ private.pem ``` ## Write public key to Yubikey and generate certificate ```shell $ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=CommonName' ``` # Issue ROOT CA ```shell $ java -jar yubikey-ca-java.jar --issue-root-ca \ --sign-slot 88 --subject 'CN=Hatter EC Root CA' \ [--pin ******] \ [--add-to-remote] ``` # Issue Intermediate CA ```shell $ java -jar yubikey-ca-java.jar --issue-intermediate-ca \ --sign-slot 88 \ --cert-slot 89 --root-ca-id 43 \ --subject 'CN=Hatter EC Intermediate CA' \ [--pin ******] \ [--add-to-remote] ``` # Issue Server CA ```shell $ java -jar yubikey-ca-java.jar --issue-server-ca \ --sign-slot 89 \ --intermediate-ca-id 44 --keypair-type secp256r1 \ --subject 'CN=hatter-test' \ --dns-name a.example.com --dns-name b.example.com \ [--pin ******] \ [--cert-slot NN | --cert-file ] | --cert-public-key '-----BEGIN PUBLIC KEY-----...' \ [--add-to-remote] ``` # Issue Client CA ```shell $ java -jar yubikey-ca-java.jar --issue-client-ca \ --sign-slot 89 \ --intermediate-ca-id 44 --keypair-type secp256r1 \ --subject 'CN=hatter-test' \ [--pin ******] \ [--add-to-remote] ``` # Issue Client Code CA ```shell $ java -jar yubikey-ca-java.jar --issue-client-code-ca \ --sign-slot 89 \ --intermediate-ca-id 44 --keypair-type secp256r1 \ --subject 'CN=hatter-test-code' \ [--pin ******] \ [--add-to-remote] ``` or ```shell $ java -jar yubikey-ca-java.jar --issue-client-code-ca \ --sign-slot 89 --cert-slot 90 \ --intermediate-ca-id 44 \ --subject 'CN=Hatter Signing CA' --valid-years 10 \ --pin ****** \ [--add-to-remote] ```