Yubico Forum

Hello Yubico users,

I have had good success installing OpenPGP keys on my new Yubikey 4. Then I got it to work with gpg-agent and with SSH. It's actually pretty cool and gives me a lot of confidence that, even if my client computer is thoroughly compromised, at least no one will get an SSH private key.

Now I would like to set up a similar level of security for my IMAP (Dovecot) and SMTP-Submission (Postfix) users.

The two ways to go are OTP or TLS client certs. Actually it looks like TLS client certs may be easier for users.

The problem is that to use them, I probably need to set up a private CA. I can do that, if that's the right way to go.

Does anyone have guidance on how to approach this? It would be very nice if Yubico would run an accredited CA that could sign client certs. Then we would not need to set up an entire CA for this purpose. Any other suggestions?

Thanks!

I'd go for TLS certs, you can use Yubico-piv-tools to manage a CA on the YubiKey
TLS certs usually have very good support... e.g. you can only allow certain clients to connect if their CA is X or if the cert fingerprint is Y

Yes, that's what I'll do. The only hassle is, it means I need to create a CA. Which is really not that bad. I've done it before. I just would prefer not to.

If I'm using the Yubikey for OpenPGP, with gpg-agent, and for PIV, with PKCS11, can I use both of those at the same time? My SSH connection might need to use gpg-agent/OpenPGP, and then my email client might need to use PKCS11, in quick sequence. Can it handle this type of thing, or will it get confused? The other possibility is to make SSH use PKCS11. Is that better?

I'm trying to figure out the best approach.

With some help, I did get Prosody XMPP server to use Yubikey OTP, and that was cool.

I really wish RFC 6091 had happened. It would be the obvious solution. Everything uses gpg-agent, no need for creating a CA to issue user keys.

Thanks

Have you checked this?
https://developers.yubico.com/yubico-pi ... ority.html