II. YubiKey Attestation

Owned by Tony Lam
Last updated: Nov 06, 2024

Attestation

  1. Insert YubiKey

  2. Open a local Terminal (Linux/Mac) or PowerShell (Windows).

     Windows

    Windows: Run the following to adding the Yubikey Manager cli tools to environment PATH

    #User Level
$newPath = "$env:ProgramFiles\Yubico\Yubikey Manager;" + [Environment]::GetEnvironmentVariable("PATH", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("PATH", $newPath, [EnvironmentVariableTarget]::User)

    Note: you must close and re-open your PowerShell for these to be picked up

  3. Run the following command to attest the certificate in slot 9a (You will need to rerun for other slots, like 9d)

    Linux users will need to locate the AppImage and execute ykman command as argument

    ykman piv keys attest 9a <path to save attested certificate>
---
Example:
(Windows) ykman piv keys attest 9a $env:HOMEPATH\$env:USERNAME-attest.pem
(Linux) yubikey-manager-qt-***-linux.AppImage ykman piv keys attest 9a $HOME/$USER-attest.pem
(Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv keys attest 9a $HOME/$USER-attest.pem
    1.  This step only needed if requested from cpu.rit.edu

      Run the following to pull the intermediate certificate from slot f9

      Linux users will need to locate the AppImage and execute ykman command as argument

      ykman piv certificates export f9 <path to save attested certificate>
---
Example:
(Windows) ykman piv certificates export f9 %USERPROFILE%\yubico-intermediate-ca.pem
(Linux) yubikey-manager-qt-***-linux.AppImage ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem
(Mac) /Applications/YubiKey\ Manager.app/Contents/MacOS/ykman piv certificates export f9 $HOME/yubico-intermediate-ca.pem

  4. Print the contents of the ($username-attest.pem).

    (Windows) Get-Content $env:HOMEPATH\$env:USERNAME-attest.pem
(Linux/Mac) cat $HOME/$USER-attest.pem

  5. This step is mainly required for access to Linux servers.
    Paste all the contents of the file ($username-attest.pem), including the "BEGIN/END" statements, into the website below.

    Students: Please log in with your student employee account.

    This is still being tested, but we are using this for now.

    Open in New Tab/Window: https://cpu.rit.edu/yubikey 

     Click here to expand...

    3/18/2022 - (Used for testing only):  Open in New Tab/Window: https://cpu.rit.edu/yubikey 

    Paste all the contents of the file, including the "BEGIN/END" statements

    If submitting multiple certs, each certificate must be merged before new can be added (I believe this is true, needs verification)

    Please inform someone from Operations (Infrastructure Apps/Networks/Systems) that you've uploaded a certificate.
    This step may require a face-to-face meeting or camera-enabled Zoom meeting.

     Operations (Infrastructure Apps/Networks/Systems)

    The above process creates a merge request in System's ansible repo. The MR needs to be approved for the keys to be pushed out to systems.