Document how to generate a key on a new yubikey

Document how to sign on macOS
2024-02-12 21:02:44 +01:00 · 2024-02-12 21:02:02 +01:00
1 changed files with 24 additions and 4 deletions
--- a/readme.md
+++ b/readme.md
@ -17,8 +17,31 @@ The setup was mostly done by following these two guides:
 ### Required Software

 * OpenSSL
+* libp11
 * [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
-  * [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+  *[AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+
+**macOS note:** openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions):
+`cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/`
+
+### Environment Variables
+
+These must be set for all openssl operations.
+
+Linux:
+
+- `PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"`
+
+macOS:
+
+- `PKCS11_MODULE_PATH="/opt/homebrew/lib/libykcs11.dylib"`
+
+### Setting up a new yubikey
+
+The signing key on a yubikey is stored in slot 9a. On a new yubikey this slot is empty.
+
+To generate a new key, run the following command:
+`yubico-piv-tool -a generate -s 9a -A ECCP384`

 ### Generating the Root

@ -31,9 +54,6 @@ echo 1000 > serial
 echo 1000 > crlnumber
 # OpenSSL CA config file
 vim config/ca.conf
-# Setting up PKCS11
-export PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"
-export MODULE_PATH="/usr/lib/libykcs11.so"
 # Generating the root
 openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
 ```
Author	SHA1	Message	Date
Daan Boerlage	9fedaa045e	Document how to generate a key on a new yubikey	2024-02-12 21:02:44 +01:00
Daan Boerlage	ec1b0cccb9	Document how to sign on macOS	2024-02-12 21:02:02 +01:00