I only use the Curve448
algorithm for X.509 Root CA, ECC-P384
for Intermediate CA, and Curve25519
for OpenPGP keys.
SafeCurves
Use the latest version of OpenSSL. Currently, I use 3.2.1.
Install from package manager:
pkg install -y openssl32
The certificate located at ca.pub
is same as SPMZT SSH CA
with hash id of cf922970
.
It will not be used until this commit become available from other operating systems.
So, I will simply use GPG
, and PIV Auth
.
Only ED25519
and ECDSA
host keys will be signed.
cert-authority,principals="spmzt" ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJfFCnQU76qxJiuGfoqYzVeWg8PUyApxV5dCiXp4VqdS9NogT2NWMYtQB0KXCDA1D8RcfBw1fE4rNSIWggOPXa5MCrqqX4uHJ0t1J38tMaMVn04qhKgbJ3EEk1ywJEUnzw==
The main certificate with hash id of 53bc2f23
is self-signed and is the one that will be used.
For backward compatibility is there another certificate with hash id of c742685f
which is signed by old CA.
9C
: cRLSign
, digitalSignature
, keyCertSign
This certificate is signed by SPMZT Root CA with hash id of c0c9a60f
.
You can check the attestion certificate by Yubico at bb2ecbbb
.
This mean the private key is generated by yubikey and it's not extractable.
9A
(Attest): keyEncipherment
, dataEncipherment
, digitalSignature
, nonRepudiation
This certificate is signed by SPMZT Intermediate CA with hash id of 3654b90d
.
You can check the attestion certificate by Yubico at 221f2a4a
.
This mean the private key is generated by yubikey and it's not extractable.
9D
: nonRepudiation
, keyEncipherment
, dataEncipherment
, keyAgreement
This certificate is signed by SPMZT Intermediate CA with hash id of 58cff29f
.
You can check the attestion certificate by Yubico at deb27caf
.
This mean the private key is generated by yubikey and it's not extractable.
9E
(Attest): dataEncipherment
, keyAgreement
This certificate is signed by SPMZT Intermediate CA with hash id of 461f1c06
.
You can check the attestion certificate by Yubico at c9f4cebf
.
This mean the private key is generated by yubikey and it's not extractable.
83
: digitalSignature
, keyCertSign
This certificate is signed by SPMZT SSH CA with hash id of cf922970
.
export CN=host.spmzt.net
OPENSSL_ENGINES=/usr/lib/x86_64-linux-gnu/engines-3/ openssl ca -config templates/openssl.conf -engine pkcs11 -keyform engine -extfile templates/host.conf -notext -md sha256 -in requests/$CN.csr.pem -out newcerts/$CN.crt.pem -extensions host_ext
ssh-keygen -i -m PKCS8 -f ssh.key.pem
ssh spmzt.net -i ssh.key.pem
Enable SSH support in GnuPG Agent by adding the corresponding option in the agent configuration file, ~/.gnupg/gpg-agent.conf
:
enable-ssh-support
echo 'EF767EB287D6D7B8953A56BA8932BBC9AC476181' > ~/.gnupg/sshcontrol
While GnuPG programs can start the GnuPG Agent on demand, starting explicitly the agent is necessary to ensure that the agent is running when a SSH client needs it. The two lines below, to be inserted into a ~/.xprofile
script, are sufficient:1
unset SSH_AGENT_PID;
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi;
export GPG_TTY=$(tty);
gpg-connect-agent updatestartuptty /bye >/dev/null
With the GPG agent running, you can start using it with your existing SSH keys, exactly like you would use ssh-agent. For example, to load your default ~/.ssh/id_rsa
key into the agent, just run as usual:
ssh-add
To tell the agent that the authentication subkey can be used with SSH, extract the keygrip of that subkey and write it into the ~/.gnupg/sshcontrol
file:
# List of allowed ssh keys. Only keys present in this file are used
# in the SSH protocol. The ssh-add tool may add new entries to this
[…]
ECF4591CC28EC303BB12D1E866C8B8AFFB675C7D
You may then verify that the key is indeed available for SSH by querying the agent for available identities:
$ ssh-add -l
2048 e3:40:d5:eb:ef:b1:3a:37:87:3d:a8:44:1d:81:ed:6a (none) (RSA)
Finally, extract the public key from the agent in a form suitable for inclusion into a ~/.ssh/authorized_keys
file:
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAA[…truncated output…]KhJHfdIcCMRF (none)