Created
December 4, 2019 00:07
-
-
Save shanewholloway/15a0f5dda96b5d328d121f255f012ebf to your computer and use it in GitHub Desktop.
Export a Yubikey certificate to an ssh-keygen compatible key.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Seems to only support RSA keys... | |
ykman piv export-certificate 9a public-cert.pem | |
openssl x509 -in public-cert.pem -noout -pubkey > public-key.pem | |
ssh-keygen -i -m pkcs8 -f ./public-key.pem > id_yubi_9a.pub | |
## then `ssh -I $PATH_TO_PKCS11_LIB $destination` | |
## Also see https://somm15.github.io/yubikey/macos/ssh/2018/11/20/welcome-to-jekyll.html | |
## Or just use `ssh-keygen -D /usr/local/lib/libykcs11.dylib` - assuming you have RSA keys and not EC keys... |
Unfortunately, no, I didn’t pursue this further. And forgot I did it. Thanks for resurfacing
ssh-keygen(1)
-m key_format
Specify a key format for key generation, the -i (import), -e (export) conversion options, and the -p change passphrase
operation. The latter may be used to convert between OpenSSH private key and PEM private key formats. The supported
key formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PKCS8 public or private key) or “PEM” (PEM
public key). By default OpenSSH will write newly-generated private keys in its own format, but when converting public
keys for export the default format is “RFC4716”. Setting a format of “PEM” when generating or updating a supported
private key type will cause the key to be stored in the legacy PEM private key format.
In a rush I have not found a clear statement that PIV is using PCSK8, but I've found several pointers that keys in the PIV module of a YubiKey are stored in PCSK8-format.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've recently had to convert PEM public keys to the OpenSSH public key format, and have been trying to understand why
-m pkcs8
is used rather than-m pem
. I've searched online for pkcs8 public key, but only found information suggesting pkcs8 format is only used for private keys. Also the C code path in thessh-keygen
command only refers to private keys. Would you happen to know the reason for pkcs8 here?