🟣slot_9a.cnf
OpenSSL config template for Yubikey's PIV 9A Slot (Authentication).
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The template below allows you to generate a certificate with can be used for Any Purpose. It has no restrictions on key usages. Primarily this slot will be used for Authentication, such as SSH.
CREATE FILE
C:\Program Files\Common Files\SSL\piv_name_9a.cnfEXAMPLE CONFIG
oid_section = yubikey_oids
[ yubikey_oids ]
nameDistinguisher = 0.2.262.1.10.7.20
microsoftCaVersion = 1.3.6.1.4.1.311.21.1
gpgUsageCert = 1.3.6.1.4.1.11591.2.6.1
[ req ]
default_bits = 2048
default_keyfile = piv_sign_9a.pem
default_md = sha256
distinguished_name = yubikey_dn
x509_extensions = yubikey_ext
req_extensions = yubikey_ext
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ yubikey_dn ]
0.C = NA
1.S = NA
2.L = NA
3.O = Organization
4.OU = Organization Unit
5.CN = Your Common Name
6.emailAddress = email@address.com
7.GN = Your Given Name
8.title = Cert Title
9.description = Description about Cert
10.initials = ABC
11.serialNumber = 1234
[ sans ]
DNS.0 = localhost
[ yubikey_ext ]
basicConstraints = CA:false,pathlen:0
nsCertType = objsign, objCA
nsComment = "PIV SSH Authentication"
subjectAltName = @sans
# extendedKeyUsage = critical,serverAuth, clientAuth, emailProtection, msSGC, nsSGC, msSmartcardLogin, secureShellClient, secureShellServer
# keyUsage = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSignLast updated
Was this helpful?