sbdx 最近的时间轴更新 sbdx 最近的时间轴更新 |
sbdxV2EX 第 342927 号会员,加入于 2018-08-20 15:39:35 +08:00 |
| 已经生成了 GPG 密钥,怎么转成对应的 PKCS#11 的证书?? 问与答 • sbdx • 2021-04-01 11:34:53 AM • 最后回复来自 sbdx | 7 |
sbdx 最近回复了
2021-04-01 11:34:53 +08:00 回复了 sbdx 创建的主题 › 问与答 › 已经生成了 GPG 密钥,怎么转成对应的 PKCS#11 的证书?? |
继续补充。
经过测试,这样只是生成了 CRT 证书,还需要把对应的 SSH 密钥写入 Yubikey 才 OK 。
# 生成的私钥要转换成 PEM 格式的文件,尽量不要设置密码
# 如果有密码,请在后面加上-p 参数取消即可
ssh-keygen -f private.key -m pem
#导入证书文件
C:\>yubico-piv-tool -s 9a -a import-certificate -i mykey.crt
Successfully imported a new certificate.
#导入密钥文件,触摸策略是每次都 touch,可选 never 、cached
C:\>yubico-piv-tool -s 9a -a import-key --touch-policy=always -i private.key
Successfully imported a new private key.
更详细内容可以看我的文章 https://blog.csdn.net/sbdx/article/details/115271483
不知道发链接违规不,如果违规麻烦管理员把链接删掉。谢谢。
经过测试,这样只是生成了 CRT 证书,还需要把对应的 SSH 密钥写入 Yubikey 才 OK 。
# 生成的私钥要转换成 PEM 格式的文件,尽量不要设置密码
# 如果有密码,请在后面加上-p 参数取消即可
ssh-keygen -f private.key -m pem
#导入证书文件
C:\>yubico-piv-tool -s 9a -a import-certificate -i mykey.crt
Successfully imported a new certificate.
#导入密钥文件,触摸策略是每次都 touch,可选 never 、cached
C:\>yubico-piv-tool -s 9a -a import-key --touch-policy=always -i private.key
Successfully imported a new private key.
更详细内容可以看我的文章 https://blog.csdn.net/sbdx/article/details/115271483
不知道发链接违规不,如果违规麻烦管理员把链接删掉。谢谢。
2021-03-25 20:05:11 +08:00 回复了 sbdx 创建的主题 › 问与答 › 已经生成了 GPG 密钥,怎么转成对应的 PKCS#11 的证书?? |
感谢,已经用 gpgsm 命令生成了自签名证书并写入 YubiKey
```
根据 OpenPGP 密钥生成自签发的证书
C:\Users\Bill\Desktop>gpgsm --gen-key >client.crt
gpgsm (GnuPG) 2.2.27; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 3
Serial number of the card: D276000124010304****************
Available keys:
(1) ******FD9AC53B16E8DFDF9E**************** OPENPGP.1 rsa2048 (cert,sign)
(2) ******BC64E376FFEA2831D2**************** OPENPGP.2 rsa2048 (encr)
(3) ******E4E052176A3B450BF3**************** OPENPGP.3 rsa2048 (sign,auth)
Your selection? 3
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 2
Enter the X.509 subject name: CN="Alex",OU="DevOps",O="Google"
Enter email addresses (end with an empty line):
> [email protected]
>
Enter DNS names (optional; end with an empty line):
>
Enter URIs (optional; end with an empty line):
>
Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: card:OPENPGP.3
Key-Length: 1024
Key-Usage: sign
Serial: random
Name-DN: CN="Alex",OU="DevOps",O="Google"
Name-Email: [email protected]
Proceed with creation? (y/N) y
Now creating self-signed certificate. This may take a while ...
gpgsm: about to sign the certificate for key: &616804E4E******************************
gpgsm: certificate created
Ready.
用 YubiKey Manage 导入刚才生成的 client.crt 文件
打卡 YubiKey Manage->Application->PIV->Configure Certificates->Authentication(Slot 9a)->Import
查看证书信息
C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-tool --list-public-keys
Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0
Public RSA Key [PIV AUTH pubkey]
Object Flags : [0x00]
Usage : [0x2D1], encrypt, wrap, verify, verifyRecover, nonRepudiation
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
ID : 01
DirectValue : <absent>
```
```
根据 OpenPGP 密钥生成自签发的证书
C:\Users\Bill\Desktop>gpgsm --gen-key >client.crt
gpgsm (GnuPG) 2.2.27; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 3
Serial number of the card: D276000124010304****************
Available keys:
(1) ******FD9AC53B16E8DFDF9E**************** OPENPGP.1 rsa2048 (cert,sign)
(2) ******BC64E376FFEA2831D2**************** OPENPGP.2 rsa2048 (encr)
(3) ******E4E052176A3B450BF3**************** OPENPGP.3 rsa2048 (sign,auth)
Your selection? 3
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 2
Enter the X.509 subject name: CN="Alex",OU="DevOps",O="Google"
Enter email addresses (end with an empty line):
> [email protected]
>
Enter DNS names (optional; end with an empty line):
>
Enter URIs (optional; end with an empty line):
>
Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: card:OPENPGP.3
Key-Length: 1024
Key-Usage: sign
Serial: random
Name-DN: CN="Alex",OU="DevOps",O="Google"
Name-Email: [email protected]
Proceed with creation? (y/N) y
Now creating self-signed certificate. This may take a while ...
gpgsm: about to sign the certificate for key: &616804E4E******************************
gpgsm: certificate created
Ready.
用 YubiKey Manage 导入刚才生成的 client.crt 文件
打卡 YubiKey Manage->Application->PIV->Configure Certificates->Authentication(Slot 9a)->Import
查看证书信息
C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-tool --list-public-keys
Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 0
Public RSA Key [PIV AUTH pubkey]
Object Flags : [0x00]
Usage : [0x2D1], encrypt, wrap, verify, verifyRecover, nonRepudiation
Access Flags : [0x02], extract
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
ID : 01
DirectValue : <absent>
```
2021-03-25 15:40:30 +08:00 回复了 szuwl 创建的主题 › 程序员 › 怎样理解下面这段代码 |
编译器猜的
2021-03-25 12:39:47 +08:00 回复了 sbdx 创建的主题 › 问与答 › 已经生成了 GPG 密钥,怎么转成对应的 PKCS#11 的证书?? |
但是 XShell 里读不到 GPG 的密钥,只能加载 PIV 证书
Select Language