ENV:
- CARD_CLI - Card cli command or full path, default
card-cli - SIGN_REQUEST_SLOT - Sign request slot, default
82
Generate Keypair
Generate
secp256r1orsecp384r1keypair
$ java -jar yubikey-ca-java.jar --generate-keypair --keypair-type secp256r1
Write Keypair to Yubikey
Write private key to Yubikey
$ ykman piv keys import --pin-policy ONCE --touch-policy CACHED $SLOT$ private.pem
Write public key to Yubikey and generate certificate
$ ykman piv certificates generate $SLOT$ public.pem -s 'O=Org,OU=OrgUnit,CN=CommonName'
Issue ROOT CA
$ java -jar yubikey-ca-java.jar --issue-root-ca \
--sign-slot 88 --subject 'CN=Hatter EC Root CA' \
--pin ****** \
[--add-to-remote]
Issue Intermediate CA
$ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
--sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \
--cert-slot 89 --root-ca-id 43 \
--pin ****** \
[--add-to-remote]
Issue Server CA
$ java -jar yubikey-ca-java.jar --issue-server-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--dns-name a.example.com --dns-name b.example.com \
--pin ****** \
[--cert-slot NN | --cert-file <CERT-FILE-PEM>] \
[--add-to-remote]
Issue Client CA
$ java -jar yubikey-ca-java.jar --issue-client-ca \
--sign-slot 89 --subject 'CN=hatter-test' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \
[--add-to-remote]
Issue Client Code CA
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --subject 'CN=hatter-test-code' \
--intermediate-ca-id 44 --keypair-type secp256r1 \
--pin ****** \
[--add-to-remote]
or
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --cert-slot 90 --subject 'CN=Hatter Signing CA' --valid-years 10 \
--intermediate-ca-id 44 \
--pin ****** \
[--add-to-remote]