How to create a PIV certificate with require-touch policy? #288
Comments
|
Hey, |
|
Yes I did touch it when I was prompted for it in the terminal. |
|
When you are pairing it you should also, most likely, touch the YubiKey. Have you tried that as well? |
|
ah thanks! that was it. I didn't touch the key during pairing. Is there a suggestion on where to store the pubkey that"s created during the first step? Can I move it around or is it still needed and the path referenced somewhere? |
|
You can move it around and do whatever you want to. It was needed only to generate the cert. If you in the future want to generate a new cert you could use the same pubkey, but you can also extract this pubkey from the cert or just generate a completely new key pair and redo the process you just did. |
|
Thanks a lot! Would be great if it was possible to set the touch policy in the gui in a future version. |
|
Is it possible to enable this for an already existing certificate or is this some special policy OID that's baked into the generated cert? |
I want to use the yubikey as a smartcard for user authentication for macOS. When I insert the key it automatically prompts me to pair.
I'd like to configure it in such a waythat it does require a touch, not only the PIN.
I haven't found any option for that in the GUI. I've tried it via terminal with
ykman piv keys generate --touch-policy always 9a pubkey.pem, followed byykman piv certificates generate -s "CN=blub" 9a pubkey.pemBut this results in this error:
How can I do this? Thanks!
macOS 11.3.1, arm64, YubiKey Manager (ykman) version: 4.0.2
The text was updated successfully, but these errors were encountered: