当前位置: 首页 > 文档资料 > Yubikey 使用手册 >

发布一个已签名的 Docker 镜像 - 在 Yubikey 上生成根证书

优质
小牛编辑
134浏览
2023-12-01

Generating the root key on the Yubikey

  1. List all the keys known on the host:

    1. ❯ notary -d ~/.docker/trust key list

    You probably don’t have any keys available yet. Let’s generate one.

  2. Create an 256-bit ECC key pair:

    1. ❯ yubico-piv-tool -s 9c -a generate -k --pin-policy=always --touch-policy=always --algorithm=ECCP256 -o public.pem

    Enter Yubikeys Management key.

  3. Create a self-signed certificate (or, alternatively, a certificate signing request):

    1. ❯ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9c -S '/CN=root/' --valid-days=365 -i public.pem -o cert.pem

    Enter PIN then touch the Yubikey.

    Alternatively replace selfsign-certificate by request-certificate and send the resulting .csr file for internal CA certification.

    The CN=root is what allows Notary to find the key on the Yubikey, so it should be kept that way.

  4. Import the (self-)signed certificate:

    1. ❯ yubico-piv-tool -k -a import-certificate -s 9c -i cert.pem

    Enter Yubikey’s Management key.

You can choose to generate the private key outside the Yubikey, in case you prefer to have a local backup copy. notary key generate will generate a private key locally and then find an empty slot to import it on the Yubikey.

When Notary asks for the SO PIN, enter the Yubikey’s Management Key.

You should now have the root key available:

  1. ❯ notary -d ~/.docker/trust key list
  2. ROLE GUN KEY ID LOCATION
  3. ---- --- ------ --------
  4. root bf98cc496cb05fd2b88b01d3200900ff05ec83a1f3690690f… Yubikey