-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to create a PIV certificate with require-touch policy? #288
Comments
Hey, |
Yes I did touch it when I was prompted for it in the terminal. |
When you are pairing it you should also, most likely, touch the YubiKey. Have you tried that as well? |
ah thanks! that was it. I didn't touch the key during pairing. Is there a suggestion on where to store the pubkey that"s created during the first step? Can I move it around or is it still needed and the path referenced somewhere? |
You can move it around and do whatever you want to. It was needed only to generate the cert. If you in the future want to generate a new cert you could use the same pubkey, but you can also extract this pubkey from the cert or just generate a completely new key pair and redo the process you just did. |
Thanks a lot! Would be great if it was possible to set the touch policy in the gui in a future version. |
Is it possible to enable this for an already existing certificate or is this some special policy OID that's baked into the generated cert? |
I want to use the yubikey as a smartcard for user authentication for macOS. When I insert the key it automatically prompts me to pair.
I'd like to configure it in such a waythat it does require a touch, not only the PIN.
I haven't found any option for that in the GUI. I've tried it via terminal with
ykman piv keys generate --touch-policy always 9a pubkey.pem
, followed byykman piv certificates generate -s "CN=blub" 9a pubkey.pem
But this results in this error:
How can I do this? Thanks!
macOS 11.3.1, arm64, YubiKey Manager (ykman) version: 4.0.2
The text was updated successfully, but these errors were encountered: