Yubico Forum
https://forum.yubico.com/

yubico-piv-tool refuses to read previously exported pubkey
https://forum.yubico.com/viewtopic.php?f=26&t=1984		 Page 1 of 1
Author:  syzzer [ Wed Jul 29, 2015 12:54 pm ]
Post subject:  yubico-piv-tool refuses to read previously exported pubkey
Hi,

I'm trying to generate a CSR, following the instructions in https://www.yubico.com/wp-content/uploa ... s_v1.0.pdf.

I generated a key before, using the YubiKey PIV Manager gui thingy. I then used both the gui, and the yubico-piv-tool (1.0.1) to export a pubkey:
Code:
yubico-piv-tool -a read-certificate -s 9c -o testkey.crt


OpenSSL happily parses the testkey.crt with -inform pem. However, yubico-piv-tool refuses to load the pubkey when trying to create a CSR:
Code:
$ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate -S "/CN=testkey/O=testorg/" -i testkey.crt -o testkey.csr --verbose=9
using reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00' matching 'Yubikey'.
> 00 a4 04 00 05 a0 00 00 03 08
< 61 11 4f 06 00 00 10 00 01 00 79 07 4f 05 a0 00 00 03 08 90 00
Action 'verify-pin' does not need authentication.
Action 'request-certificate' does not need authentication.
Now processing for action 'verify-pin'.
> 00 20 00 80 08 31 32 33 34 35 36 ff ff
< 90 00
Successfully verified PIN.
Now processing for action 'request-certificate'.
Failed loading public key for request.


I peeked into the yubico-piv-tool sources, but don't see an immediate reason why loading the pubkey would fail. Any clues?
Author:  syzzer [ Wed Jul 29, 2015 1:21 pm ]
Post subject:  Re: yubico-piv-tool refuses to read previously exported pubk
Ah, there we go. Obvious as soon as I noticed it. yubico-piv-tool want a *pubkey* not a *certificate* (containing a pubkey).

For future reference: to extract a pubkey from the cert, use:
Code:
openssl x509 -pubkey -in testkey.crt > testkey.pub


.. and use `-i testkey.pub`, instead of `-i testkey.crt`.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/