Re: yubico-piv-tool refuses to read previously exported pubk

2015-07-29T13:21:00+01:00

Ah, there we go. Obvious as soon as I noticed it. yubico-piv-tool want a *pubkey* not a *certificate* (containing a pubkey).

For future reference: to extract a pubkey from the cert, use:

Code:

openssl x509 -pubkey -in testkey.crt > testkey.pub

.. and use `-i testkey.pub`, instead of `-i testkey.crt`.

Statistics: Posted by syzzer — Wed Jul 29, 2015 1:21 pm

yubico-piv-tool refuses to read previously exported pubkey

2015-07-29T12:54:27+01:00

Hi,

I'm trying to generate a CSR, following the instructions in https://www.yubico.com/wp-content/uploa ... s_v1.0.pdf.

I generated a key before, using the YubiKey PIV Manager gui thingy. I then used both the gui, and the yubico-piv-tool (1.0.1) to export a pubkey:

Code:

yubico-piv-tool -a read-certificate -s 9c -o testkey.crt

OpenSSL happily parses the testkey.crt with -inform pem. However, yubico-piv-tool refuses to load the pubkey when trying to create a CSR:

Code:

$ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate -S "/CN=testkey/O=testorg/" -i testkey.crt -o testkey.csr --verbose=9
using reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08 
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00 
Action 'verify-pin' does not need authentication.
Action 'request-certificate' does not need authentication.
Now processing for action 'verify-pin'.
> 00 20 00 80 08 31 32 33 34 35 36 ff ff 
< 90 00 
Successfully verified PIN.
Now processing for action 'request-certificate'.
Failed loading public key for request.

I peeked into the yubico-piv-tool sources, but don't see an immediate reason why loading the pubkey would fail. Any clues?

Statistics: Posted by syzzer — Wed Jul 29, 2015 12:54 pm

Yubico Forum

Re: yubico-piv-tool refuses to read previously exported pubk

yubico-piv-tool refuses to read previously exported pubkey