Skip to content

Instantly share code, notes, and snippets.

@shanewholloway

shanewholloway/export-yubi-to-ssh-key.sh

Created December 4, 2019 00:07
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shanewholloway/15a0f5dda96b5d328d121f255f012ebf to your computer and use it in GitHub Desktop.
Save shanewholloway/15a0f5dda96b5d328d121f255f012ebf to your computer and use it in GitHub Desktop.
Download ZIP
Export a Yubikey certificate to an ssh-keygen compatible key.
Raw
export-yubi-to-ssh-key.sh
#!/bin/sh
# Seems to only support RSA keys...
ykman piv export-certificate 9a public-cert.pem
openssl x509 -in public-cert.pem -noout -pubkey > public-key.pem
ssh-keygen -i -m pkcs8 -f ./public-key.pem > id_yubi_9a.pub
## then `ssh -I $PATH_TO_PKCS11_LIB $destination`
## Also see https://somm15.github.io/yubikey/macos/ssh/2018/11/20/welcome-to-jekyll.html
## Or just use `ssh-keygen -D /usr/local/lib/libykcs11.dylib` - assuming you have RSA keys and not EC keys...
@xhalo32
Copy link

xhalo32 commented Jul 28, 2023

I've recently had to convert PEM public keys to the OpenSSH public key format, and have been trying to understand why -m pkcs8 is used rather than -m pem. I've searched online for pkcs8 public key, but only found information suggesting pkcs8 format is only used for private keys. Also the C code path in the ssh-keygen command only refers to private keys. Would you happen to know the reason for pkcs8 here?

@shanewholloway
Copy link
Author

Unfortunately, no, I didn’t pursue this further. And forgot I did it. Thanks for resurfacing

@fde6-a09a-b373
Copy link

@xhalo32

ssh-keygen(1)
       -m key_format
               Specify a key format for key generation, the -i (import), -e (export) conversion options, and the -p change passphrase
               operation.   The latter may be used to convert between OpenSSH private key and PEM private key formats.  The supported
               key formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PKCS8 public or private key) or “PEM”  (PEM
               public key).  By default OpenSSH will write newly-generated private keys in its own format, but when converting public
               keys  for  export  the default format is “RFC4716”.  Setting a format of “PEM” when generating or updating a supported
               private key type will cause the key to be stored in the legacy PEM private key format.

In a rush I have not found a clear statement that PIV is using PCSK8, but I've found several pointers that keys in the PIV module of a YubiKey are stored in PCSK8-format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment