...
Attestation
Overview
This process outlines how to setup PIN, PUK, and Management key on new Yubikey (initialize Yubikey).
Prerequisites
- YubiKey 4 and newer
- Yubikey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
- Mac
- Linux
Process
Attestation
- Run the Yubikey Manager application and insert your key
Click on Applications and then click on PIVChange PIN if Yubikey is fresh out of the box or it's been defaulted
Note skip to step 4 (Enrollment) if Yubikey is already initialized
- Click on Configure PINs
- Click Change PIN and then check Use default (if it is default).
Fill in the blanks.
Finish with changing PIN by clicking on Change PIN - Click on Change PUK and then check Use default (if it is default).
Fill in the blanks.
Finish with changing PUK by clicking on Change PUK Click on Change Management Key and then check Use default (if it is default). Open a local Terminal (Linux/Mac) or PowerShell (Windows).
Expand title Windows Windows: Run the following to adding the Yubikey Manager cli tools to environment PATH
Code Block #User Level $newPath = "$env:ProgramFiles\Yubico\Yubikey Manager;" + [Environment]::GetEnvironmentVariable("PATH", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("PATH", $newPath, [EnvironmentVariableTarget]::User)
Note Note: you must close and re-open your PowerShell for these to be picked up
Run the following command to attest the certificate in slot 9a (You will need to rerun for other slots, like 9d)
Note Linux users will need to locate the AppImage and execute ykman command as argument
Code Block ykman piv keys attest 9a <path to save attested certificate> --- Example: (Windows) ykman piv keys attest 9a $env:HOMEPATH\$env:USERNAME-attest.pem (Linux) yubikey-manager-qt-***-linux.AppImage ykman piv keys attest 9a $HOME/$USER-attest.pem (Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv keys attest 9a $HOME/$USER-attest.pem
Expand title This step only needed if requested from cpu.rit.edu Run the following to pull the intermediate certificate from slot f9
Note Linux users will need to locate the AppImage and execute ykman command as argument
Code Block ykman piv certificates export f9 <path to save attested certificate> --- Example: (Windows) ykman piv certificates export f9 %USERPROFILE%\yubico-intermediate-ca.pem (Linux) yubikey-manager-qt-***-linux.AppImage ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem (Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem
Print the contents of the ($username-attest.pem).
Code Block (Windows) Get-Content $env:HOMEPATH\$env:USERNAME-attest.pem (Linux/Mac) cat $HOME/$USER-attest.pem
This step is mainly required for access to Linux servers.
Paste all the contents of the file ($username-attest.pem), including the "BEGIN/END" statements, into the website below.Warning Students: Please log in with your student employee account.
Note This is still being tested, but we are using this for now.
Open in New Tab/Window: https://cpu.rit.edu/yubikey
Expand 3/18/2022 - (Used for testing only): Open in New Tab/Window: https://cpu.rit.edu/yubikey
Paste all the contents of the file, including the "BEGIN/END" statements
If submitting multiple certs, each certificate must be merged before new can be added (I believe this is true, needs verification)
Please inform someone from Operations (Infrastructure Apps/Networks/Systems) that you've uploaded a certificate.
This step may require a face-to-face meeting or camera-enabled Zoom meeting.
Fill in the blanks.
Finish with changing the key by clicking on FinishYou can check Protect with PIN to not need the Management Key for future
Insert YubiKey