Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:50 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Tue Jun 17, 2014 9:12 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Using the yubico-piv-tool I generate a public key in slot 9A.

I then try to create a self-signed certificate based off this public key.

But I get the error:

Code:
Failed sign command with code 6982


What does code 6982 mean?

The same error occurs for slots 9C and 9D. But Slot 9E works, which is the Card Authentication slot, where the PIN is never used/needed.

Is it impossible or not allowed to have self-signed certificates in slots 9A, 9C, or 9D (PIV Authentication, Digital Signature, Key Management) slots?

The yubico-piv-tool generates self-signed certificates with a life-time of 1 year. To get different life-times requires changing the hardcoded value and recompiling. Could you add a command line argument?

Is it possible to add extended attributes to self-signed certificates, such as basicConstraints: CA=True?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jun 17, 2014 2:36 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

For selfsigned certs in the slots where pin verification is needed you'll have to verify when you sign it, like in the examples (the actions are processed in order, so the order is important..):

$yubico-piv-tool -s 9a -S '/CN=bar/OU=test/O=example.com/' -P 123456 -a verify -a selfsign

I guess expiry times could be added as an option.. But for more complex configurations of certificates you're probably better off using openssl with the pkcs11 engine and the pkcs11 module from opensc. Some brief documentation is available at https://www.opensc-project.org/opensc/wiki/PivTool

/klas


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 18, 2014 6:30 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Thank you Klas, that was my problem. I was not providing the -a verify before the -a selfsign. I have now been able to generate and store self-signed certificates in other slots such as 9C.

I will try to use the OpenSSL and OpenSC to create more complex certificates. However if they are to be self-signed this might be a chicken-and-egg problem. I will read through the documentation again and do some experimentation.

Thanks


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group