hatter/yubikey-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
260b79a153aa0ab11ff2820027fce6e9063272d9
yubikey-ca/yubikey-ca-java/README.md

85 lines
2.1 KiB
Markdown
Raw Blame History

ENV:
* CARD_CLI - Card cli command or full path, default `card-cli`
* SIGN_REQUEST_SLOT - Sign request slot, default `82`
# Generate Keypair
> Generate `secp256r1` or `secp384r1` keypair
```shell
$ java -jar yubikey-ca-java.jar --generate-keypair --keypair-type secp256r1
```
# Write Keypair to Yubikey
## Write private key to Yubikey
```shell
$ ykman piv keys import --pin-policy ONCE --touch-policy CACHED $SLOT$ private.pem
```
## Write public key to Yubikey and generate certificate
```shell
$ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=CommonName'
```
# Issue ROOT CA
```shell
$ java -jar yubikey-ca-java.jar --issue-root-ca \
--sign-slot 88 --subject 'CN=Hatter EC Root CA' \
[--pin ******] \
[--add-to-remote]
```
# Issue Intermediate CA
```shell
$ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
--sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \
--cert-slot 89 --root-ca-id 43 \
[--pin ******] \
[--add-to-remote]
```
# Issue Server CA
```shell
$ java -jar yubikey-ca-java.jar --issue-server-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--dns-name a.example.com --dns-name b.example.com \
[--pin ******] \
[--cert-slot NN | --cert-file <CERT-FILE-PEM>] \
[--add-to-remote]
```
# Issue Client CA
```shell
$ java -jar yubikey-ca-java.jar --issue-client-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
[--pin ******] \
[--add-to-remote]
```
# Issue Client Code CA
```shell
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --subject 'CN=hatter-test-code' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
[--pin ******] \
[--add-to-remote]
```
or
```shell
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --cert-slot 90 --subject 'CN=Hatter Signing CA' --valid-years 10 \
--intermediate-ca-id 44 \
--pin ****** \
[--add-to-remote]
```
Reference in New Issue View Git Blame Copy Permalink