My notes on setting up a Yubikey to keep private SSH key on it. There were a bunch of existing guides, but non covered everything or had extra steps that aren't necessary.
These steps didn't work for me; I failed at creating the self-signed certificate:
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" --valid-days=3650 -i yubikey.pub.pkcs8 -o cert.pem -v
trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID'.
Action 'verify-pin' does not need authentication.
Action 'selfsign-certificate' does not need authentication.
Now processing for action 'verify-pin'.
Enter PIN:
Successfully verified PIN.
Now processing for action 'selfsign-certificate'.
Failed sign command with code 6a80.
Failed signing certificate.
I haven't yet figured out what 6a80 means. Does this guide assume the Yubikey is in any particular state?
5 comments
[ 3.1 ms ] story [ 17.1 ms ] threadI usually save a gpg .ASC of the private key a encoded in something I have confidence in but a pkcs12 with long passphrase might be better.
Works like a charm but you need have the key in the OpenPGP applet, not the PIV applet.