Generate Trusted Private And Public Key For Yubikey

Nov 05, 2019 The follwing will extract the public SSH-formatted public key from the TPM. Note, if we used the same private key as in the Yubikey setup, the public portion will ofcourse be the same. The master private gpg key should only be used to generate new sub-keys, if needed, or to revoke them, if we lose one or more of our physical devices. We should now be able to: Sign messages with the signing key stored in our YubiKey (only if plugged in) and its PIN Verify those messages with the master public key. You will need the Serial Number (in decimal format), Private Identity, and Secret Key to add the YubiKey to your Duo account. You may also want to save this information, along with the Public Identity, somewhere safe since you will need them if you use this YubiKey with other services in. Oct 03, 2019  Technical guide for using YubiKey series 4 for GPG and SSH - In case the YubiKey is lost or your private key is somehow compromised. Use ssh-add -L to generate the list of public keys for SSH, and then drop that output into /.ssh/authorizedkeys or wherever you like. Oct 03, 2017  By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan. No shared secrets U2F relies on the concept of minting a cryptographic key pair for each service.

Yubikey, Smart Cards, OpenSC and GnuPG are pain in the ass to get working. Those snippets here sould help alleviate pain.

To reset and disable not used modes on Yubikey you need the ykman program

You can install it using those commands

GnuPG usage only needs CCID mode to be enabled. FIDO mode can also be enabled for WebAuthn

Yubikey OpenPGP applet that is used by GnuPG can be configured with

Make sure that gnupg, pcscd and scdaemon are installed

GnuPG Smart Card stack looks something like this

Now we have to tell scdaemon to use pcsc interface instead of the default direct connect mode.

Under Ubuntu is in package called libpcsclite1.dpkg -L libpcsclite1 command can show the location of the lib.

GnuPG Trust Model

Turn on ssh like trust on first use (tofu)

After changing gpg configuration files, it's a good idea to restart gpg-agent.

If everything went well then running following command should show something like this


Test if Yubikey is detected

pcsc-tools package contains pcsc_scan program that can be used to check that Yubikey is detected.

and then run

Now you should see Card inserted and removed events on your terminal when connectingand removing Yubikey.


Restart everything

Smart Card middleware


Check the logs

Run journalctl in another terminal window and look for scdaemon log lines

If you see sharing violation messages then something else is probably trying to use the yubikey via opensc.Check getting-estonian-id-card-and-gnupg-scdaemon-yubikey-work-together

Switch from OpenSSH ssh-agent to GnuPG as ssh-agent


First get you need to get GnuPG agent-ssh-socket path

That should return something like this

And then you can set that path as SSH_AUTH_SOCK environment variable

After that ssh-add -l shoud show your Yubikey.


Getting Estonian ID card and GnuPG scdaemon Yubikey work together.

Estonian ID card uses opensc project to access private keys on the smart card.Opensc also supports Yubikey and that will create conflicts with GnuPG scdaemon.

To fix it you can just disable Yubikey in opensc.

To make coperation between opensc and scdaemon even better then you have to patch scdaemon touse shared access mode, Arch Linux wiki has a short paragraph about that here

gpg -k or gpg --list-keys - List stored public keys

gpg -K or gpg --list-private-keys - List all stored private keys, # means private key is unavailable, > means private key is on a smartcard

  1. Generate 2048bit RSA master key with Certify(Master) and Sign permissions, expire key after 2 years
  1. Add a 2048bit RSA encryption subkey that expires after 2 years

where master_key_fingerprint is a 40 char hex string shown when running gpg -K

man page says that you can use -e option to convert private and public keys to other formats, that seems to be wrong. Insteadyou can use -p option to request changing the password but not actually setting the password.

Monkeysphere project includes a pem2openpgp command that can be used to import ssh private keys to gnupg keyring.

The imported key is stored without encryption, add it with those commands:

and then use passwd command and type the same password as your master key

After importing you can use normal gpg --edit-key command to change parameters on this key. GnuPG 2.1 also allows you to move the imported key to be one of your subkeys for authentication.

Move the key

  1. Get the imported key keygrip value gpg --with-keygrip -k
  2. gpg --expert --edit-key <master_key_id> where master_key_id is a 40 char hex string shown when running gpg -K
  3. type addkey
  4. select (13) Existing key
  5. Copy and Paste imported ssh key keygrip
  6. Toggle off all capabilities and enable authenticate capability and finish
  7. Set key valid time to 2 years with 2y
  8. Confirm key creation and type your master key password
  9. Type save to save and exit from edit menu

Generate Trusted Private And Public Key For Yubikey Iphone

Delete old public ssh key

This key is no longer needed

where ssh_key_id is a 40 char hex string shown when running gpg -K

Before moving private keys to yubikey you must make a backup of private keys so that when you lose or break your yubikeyyou could move the same keys to a new yubikey.

Exported keys are encrypted with your master password.

Its also a good idea to print your private keys on a paper because files can bitrot and become unusable after some time.

and then use keytocard command to move the primary key to card.Then select first sub key with key 1 and then move that to card with keytocard.Then unselect first key with command key and then select second subkey with key 2 and then do keytocard. After that save and you are done.

scdaemon with shared access for ubuntu 18.04

What do ssb and other mean in gpg --list-keys output

# after sec/ssb means that secret key is unavailable, maybe it was exported and then deleted

> after sec/ssb means that secret key is on a smartcard/yubikey

Most security and IT professionals know that passwords are always at risk of being compromised or cracked. Those that seek to solve this problem generally turn to one of three mainstream solutions: One-time password systems such as an RSA SecurID token or the Google Authenticator app, out-of-band authentication via SMS, or the more recently developed Universal 2nd Factor (U2F) protocol. These solutions provide a mechanism to generate or receive a token or credential that an adversary would be unable to intercept or crack. These are all reasonable solutions, depending on the system and the audience that it needs to serve.

Another alternative which has probably been around the longest is the focus of our topic today: Certificate-based authentication. Asymmetric cryptography is the star of the show here, where a private/public key pair are used to validate your identity. Today we'll talk about how to configure certificates for Windows Active Directory Authentication using a YubiKey.

Generate Trusted Private And Public Key For Yubikey Mac

What's a YubiKey?

First things first - a YubiKey is a strong authentication hardware device made by Yubico. The nice thing about them is they support USB interfaces on just about any kind of device, and they also provide a number of strong authentication protocols including FIDO U2F, Smart Card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response (HMAC-SHA1). All this in a device that costs around $50 - very affordable compared to other alternatives! To find out which YubiKey will meet your needs, check out their Product Finder. Active Directory authentication uses a YubiKey's Smart Card (PIV) functionality. For this you will need a YubiKey NEO or YubiKey 4. The less expensive YubiKey Nano does not have smart card functionality (but is great for protecting your Google account!)

Using Smart Cards and Certificates for Authentication in AD

Public Key Definition

Microsoft support for certificate-based authentication via smart cards in Active Directory is very mature, going back at least to Windows 2003. A smart card is a hardware device that can generate certificates and perform signing and encryption functions. This certificate is composed of a key pair, one private and one public. The private key is stored only on the smart card, and the public key is shared with any system which needs to interact with it such as a domain controller or the recipient of a digitally signed email.

To make all this work for AD authentication, the general principle is that you set up a Certificate Authority (CA) on a Windows server running the Certificate Services role. The CA's job is to create root or intermediate certificates that are trusted by the domain, and to digitally sign other certificates used within the domain. In this case, the CA will sign the certificate that is generated by the YubiKey's smart card function. During the certificate generation and signing process, it will also publish the new public key into the directory. This public key will be associated with the user who set it up and will be used to authenticate the user. Only the private key contained on the YubiKey will match this public key and can be used to authenticate that user.

Generate Trusted Private And Public Key For Yubikey For Windows

When using a certificate stored on a smart card, the private key component is protected by a PIN. The user must enter the PIN in order to perform smart card functions such as login or screen unlocks. This PIN protects the smart card from being stolen and also serves to prevent unauthorized software (i.e. malware) from interacting with the smart card directly.

Setting Up Certificate Services

Public Key Example

Yubico has a very detailed guide for configuring the Certificate Services to sign Smart Card certificates for authentication. This process involves installing the Certificate Services, setting up a new Certificate Template for Smart Card authentication, and enabling self-enrollment or proxy enrollment capability.

Enrolling YubiKeys

Once you have set up your Certificate Authority with the new Smart Card template for your YubiKeys, you will need to enroll your YubiKey for smart card authentication. This involves using a utility called the YubiKey PIV Manager. For the sake of brevity, here's the link to the guide. One note: When prompted for the name of your certificate template, use the short/concatenated name in case your name contains spaces (i.e. YubiKeyLogon instead of 'YubiKey Logon').

Logging In Using the Smart Card

If all went well during the enrollment process, the PIV manager shows a certificate under the 'Authentication' tab and the certificate has been published to Active Directory. When you insert the YubiKey to your Windows system, Smart Card will be displayed as a login option. Choosing this option will prompt you to enter your smart card PIN. Once you enter your PIN, you will be logged in!

OK, Great - Why Should I Use This?

The truth of the matter is that passwords are awful - no one likes remembering them and changing them, and they are subject to being reused or cracked. Smart card-based certificate authentication isn't prone to these issues and lasts forever (or until the certificate expires!) Of course, deploying smart cards across an entire organization takes careful planning for your use case. My advice is to start with a very targeted deployment for your Enterprise Administrators, Domain Adminstrators, and key members of your IT and Security team. By doing this and disallowing password-based authentication for those users, you will go a long way to frustrating the adversaries trying to compromise your domain!