Export existing private ssh key to OpenPGP card or Yubikey

export existing ssh private key to opengpg card.md

Export existing private ssh key to OpenPGP card or Yubikey

Before you begin

This will only work with OpenPGP v2.0 or newer or with PIV cards. Your existing ssh key has to be in a format that is supported by your opengpg card. For example my the OpenPGP V2.1 Card from FLOSS Shop supports only 2048 bit RSA keys. RSA exponent should be 65537, Putty and old OpenSSH releases use different expnent that for example Yubikey does not support.

Required software

Ubuntu users should sudo apt install pcscd opensc

• pcscd handles connection to the smartcard
• opensc provices PKCS#11 API for accessing certificates on the smartcard

For Yubikey setup you should install yubikey-manager that contains a nice ykman programm.

You can use this command to disable not needed modes of yubikey

ykman mode ccid

Make a copy of your private key

For example copy it to /tmp/ssh. This is needed because some commands down below will alter your private key.

Convert your RFC4716 private key to PEM and remove password

If your id_rsa private key begins with BEGIN OPENSSH PRIVATE KEY then you need to convert it to PEM format that is readable by openssl.

Use this command to remove password and convert your private key in place to PEM format

ssh-keygen -p -f id_rsa -m pem

You can use this command to check your private key in openssl

openssl rsa -in id_rsa -text

publicExponent line should say 65537

Create self signed X.509 certificate using existing private key

Create a certificate signing request

openssl req -new -key id_rsa -out myid.csr

It doesnt matter what values you enter here because ssh doesn't care

And sign it

openssl x509 -req -days 24854 -in myid.csr -signkey id_rsa -out myid.crt

Import certificate and private key to OpenPGP card

Import the certificate

pkcs15-init --store-certificate myid.crt --id 3

And the private key

pkcs15-init --store-private-key id_rsa --auth-id 3 --verify-pin --id 3

Import certificate and private key to Yubikey

We are going to use 9a slot as per Yubico documentation

ykman piv import-certificate 9a myid.crt

And the private key

ykman piv import-key 9a id_rsa

Test it

pkcs15-tool should show that you have the certificate and your private key on card

pkcs15-tool --list-certificates
pkcs15-tool --list-keys

You can also test with ssh that things still work

Use this command to generate ssh public keys

ssh-keygen -D opensc-pkcs11.so

And this comand to test ssh connections

SSH_AUTH_SOCK= ssh -I opensc-pkcs11.so -v <host>

SSH Agent

This seems to work fine under Gnome 3.30

ssh-agent needs a full path to opensc-pkcs11.so file

Under Ubuntu you should use /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Under Arch linux its /usr/lib/pkcs11/opensc-pkcs11.so

Add the key from the openpgp card

ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Remove the key from ssh-agent

ssh-add -e /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

ssh-agent pkcs11 interface does not support hotplug of the openpgp card. You must add and remove pkcs11 module very time you connect or disconnect the card.

Links

• https://lauri.võsandi.com/2017/03/yubikey-for-ssh-auth.html
• https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card
• http://sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG,-OpenSsh-and-OpenSSL
• https://developers.yubico.com/PIV/Introduction/Certificate_slots.html