| import numpy as np | |
| import matplotlib.pyplot as plt | |
| x = np.array([6,8,10,12,15]) | |
| y = np.array([2000, 1500, 1000]) | |
| X, Y = np.meshgrid(x, y, copy=False) | |
| Z = np.array([[1945, 2980, 4085, 5317, 7360], | |
| [1525, 2300, 3215, 4145, 5744], | |
| [1127, 1700, 2330, 3037, 4235]]) |
| 1. Each PIV slot can store ONE key AND ONE certificate | |
| 2. Use openssl to create the keys, not ssh-keygen (otherwise the output format is wrong) | |
| 3. You can import key and cert seperately into each slot (yubico-authenticator, yubico-piv-tool or some such) | |
| 4. Again: Only one key per slot. Importing a key to a slot will overwrite the key that was in that slot before. Same for certs. | |
| Using openssl 3.0.13 and yubico-piv-tool 2.7.0: | |
| 1. generate private key: | |
| openssl genpkey -algorithm ed25519 -out .ssh/filename | |
| 2. generate selfsigned cert (contains the public key): (store this one! can't be calculated from private key later on): | |
| openssl req -key .ssh/filename -new -x509 -days 365 -out .ssh/filename.crt |
Set up a virgin Ubuntu 24.04 to be able to create keypairs for GPG, PIV and SSH, to create paper backups of those keys, and to get keys and certificates onto a Yubikey.
sudo apt install -y openssl gpg cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man zlib1g-dev build-essential pcscd qrencode
Start by checking that there aren't any previous ssh keys inside the FIDO2 authenticator of your YubiKey. You can check if they exist by running the command below:
nix shell nixpkgs#yubikey-manager -c ykman fido credentials listIf the command above outputs a string mentioning "ssh" or "openssh", then you have already got a key generated and store on your YubiKey.
Before generating a new ssh key to store on your YubiKey you must consider which additional required authentication factors you want to use. Below you can see a table with the available factors and their corresponding command: