# 准备
- Yubikey & Canokey
- yubico-piv-tool & ykman
- WinCryptSSHAgent (Windows Only)
# 生成私钥及证书
# CA 私钥和证书
| openssl genpkey -algorithm RSA -out ca_private_key.pem -pkeyopt rsa_keygen_bits:2048 |
| openssl req -new -x509 -key ca_private_key.pem -out ca_cert.pem -days 3650 -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=XXX/OU=XXX/CN=taoidle" |
# RSA 私钥和 CSR
| openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048 |
| openssl req -new -key rsa_private_key.pem -out csr.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=XXX/OU=XXX/CN=taoidle" |
# 使用 CA 签发 CSR
| openssl x509 -req -in csr.pem -CA ca_cert.pem -CAkey ca_private_key.pem -CAcreateserial -out signed_cert.pem -days 3650 |
# 证书验证
# CSR 验证
| openssl req -in csr.pem -noout -text |
# 验证生成证书
| openssl x509 -in signed_cert.pem -noout -text |
# 证书链验证
| openssl verify -CAfile ca_cert.pem signed_cert.pem |
# 自签证书链验证
| openssl verify -CAfile signed_cert.pem signed_cert.pem |
ca_private_key.pem :CA 私钥。ca_cert.pem :自签名 CA 证书。rsa_private_key.pem : RSA 私钥。csr.pem :证书签名请求。signed_cert.pem :CA 签发的证书。
# Yubikey PIV
# 导入私钥
| yubico-piv-tool -a import-key -s 9a -i rsa_private_key.pem |
# 导入证书
| yubico-piv-tool -a import-key -s 9a -i signed_cert.pem |
# ykman
- 把 rsa_private_key.pem、signed_cert.pem cat 出来,对应到私钥、证书,输入后留空一行然后 ctrl+c 取消后输入 pin
# 导入私钥
| ykman piv keys import 9a - |
# 导入证书
| ykman piv certificates import 9a - |
# Canokey PIV
# 导入私钥
| yubico-piv-tool -r canokey -a import-key -s 9a -i rsa_private_key.pem |
# 导入证书
| yubico-piv-tool -r canokey -a import-key -s 9a -i signed_cert.pem |
# ykman
- 把 rsa_private_key.pem、signed_cert.pem cat 出来,对应到私钥、证书,输入后留空一行然后 ctrl+c 取消后输入 pin
# 导入私钥
| ykman -r canokey piv keys import 9a - |
# 导入证书
| ykman -r canokey piv certificates import 9a - |
# SSH 自动登录
# Windows
下载 WinCryptSSHAgent,启动后右键托盘图标 , show public key 。将公钥放到服务器.ssh/authorized_keys
