🟣slot_9a.cnf

OpenSSL config template for Yubikey's PIV 9A Slot (Authentication).

The template below is just an example of how you can populate slot 9A. You can populate your PIV slots with whatever you deem appropriate.

This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The template below allows you to generate a certificate with can be used for Any Purpose. It has no restrictions on key usages. Primarily this slot will be used for Authentication, such as SSH.

OpenSSL

CREATE FILE

C:\Program Files\Common Files\SSL\piv_name_9a.cnf

EXAMPLE CONFIG

oid_section         = yubikey_oids

[ yubikey_oids ]
nameDistinguisher   = 0.2.262.1.10.7.20
microsoftCaVersion  = 1.3.6.1.4.1.311.21.1
gpgUsageCert        = 1.3.6.1.4.1.11591.2.6.1

[ req ]
default_bits        = 2048
default_keyfile     = piv_sign_9a.pem
default_md          = sha256
distinguished_name  = yubikey_dn
x509_extensions     = yubikey_ext
req_extensions      = yubikey_ext
string_mask         = MASK:0x2002
utf8                = yes
prompt              = no

[ yubikey_dn ]
0.C                 = NA
1.S                 = NA
2.L                 = NA
3.O                 = Organization
4.OU                = Organization Unit
5.CN                = Your Common Name
6.emailAddress      = email@address.com
7.GN                = Your Given Name
8.title             = Cert Title
9.description       = Description about Cert
10.initials         = ABC
11.serialNumber     = 1234

[ sans ]
DNS.0               = localhost

[ yubikey_ext ]
basicConstraints    = CA:false,pathlen:0
nsCertType          = objsign, objCA
nsComment           = "PIV SSH Authentication"
subjectAltName      = @sans
# extendedKeyUsage    = critical,serverAuth, clientAuth, emailProtection, msSGC, nsSGC, msSmartcardLogin, secureShellClient, secureShellServer
# keyUsage            = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign

Certreq

CREATE FILE

piv_name_9a.txt

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=Your Name (Auth), OU=Organizational Unit, O=Organization, C=US"
KeyLength = 2048
HashAlgorithm = Sha256
Exportable = TRUE
FriendlyName = "Your Name (PIV)"
RequestType = Cert
SMIME = FALSE
ValidityPeriodUnits = 5
ValidityPeriod = Years
KeyUsageProperty = NCRYPT_ALLOW_ALL_USAGES