Problem:
There is a requirement to use Yubikey as the certificate store for the PKI authentication via PSMP to remote targets.
This is also takes into account that PKI authentication is already enabled in the environment as per CyberArk's documentation:
- https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/PKI-Authentication-Personal-Certificate.htm
- https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Configuring-PKI-Authentication-for-the-PrivateArk-Client.htm
Solution:
(Steps taken from https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html)
Download and install the yubico-piv-tool from here:
And follow the steps below:
- Generate the key
yubico-piv-tool -s 9a -a import-key -i key.pem - Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=My Name/O=SSH/" -i public.pem -o cert.pem - Load the certificate
yubico-piv-tool -a import-certificate -s 9a -i cert.pem - Use one of the documented methods to configure the SSH key for the user:
https://bulwarx.freshdesk.com/support/solutions/articles/17000107435-how-to-manage-ssh-keys-for-cyberark-vault-users - Run Putty-CAC, go to the Connection > SSH > Certificate and press Set CAPI Cert button. In pop-up window select certificate, which is stored in smart-card, and press OK.
- Use the regular PSMP command to connect to the target system, but this time note that instead of a username or password, the Yubikey PIN is prompted.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article