| Yubico Forum https://forum.yubico.com/ |
|
| YubiKey NEO PIV Cannot Self-Sign Certificate in Slot 9A https://forum.yubico.com/viewtopic.php?f=26&t=1405 |
Page 1 of 1 |
| Author: | air [ Tue Jun 17, 2014 9:12 am ] |
| Post subject: | YubiKey NEO PIV Cannot Self-Sign Certificate in Slot 9A |
Using the yubico-piv-tool I generate a public key in slot 9A. I then try to create a self-signed certificate based off this public key. But I get the error: Code: Failed sign command with code 6982 What does code 6982 mean? The same error occurs for slots 9C and 9D. But Slot 9E works, which is the Card Authentication slot, where the PIN is never used/needed. Is it impossible or not allowed to have self-signed certificates in slots 9A, 9C, or 9D (PIV Authentication, Digital Signature, Key Management) slots? The yubico-piv-tool generates self-signed certificates with a life-time of 1 year. To get different life-times requires changing the hardcoded value and recompiling. Could you add a command line argument? Is it possible to add extended attributes to self-signed certificates, such as basicConstraints: CA=True? |
|
| Author: | Klas [ Tue Jun 17, 2014 2:36 pm ] |
| Post subject: | Re: YubiKey NEO PIV Cannot Self-Sign Certificate in Slot 9A |
Hello, For selfsigned certs in the slots where pin verification is needed you'll have to verify when you sign it, like in the examples (the actions are processed in order, so the order is important..): $yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 -a verify -a selfsign I guess expiry times could be added as an option.. But for more complex configurations of certificates you're probably better off using openssl with the pkcs11 engine and the pkcs11 module from opensc. Some brief documentation is available at https://www.opensc-project.org/opensc/wiki/PivTool /klas |
|
| Author: | air [ Wed Jun 18, 2014 6:30 am ] |
| Post subject: | Re: YubiKey NEO PIV Cannot Self-Sign Certificate in Slot 9A |
Thank you Klas, that was my problem. I was not providing the -a verify before the -a selfsign. I have now been able to generate and store self-signed certificates in other slots such as 9C. I will try to use the OpenSSL and OpenSC to create more complex certificates. However if they are to be self-signed this might be a chicken-and-egg problem. I will read through the documentation again and do some experimentation. Thanks |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|