search

smallstep / step-kms-plugin

🔐 step plugin to manage keys and certificates on a cloud KMSs and HSMs
Apache License 2.0
47 stars 6 forks source link

Failed to create key - Error generating key #83

Closed laamalif closed 9 months ago

laamalif commented 1 year ago

$ step kms create 'yubikey:slot-id=9a' --kms 'yubikey:?pin-value=987654'

Error: failed to create key: error generating key: authenticating with management key: auth challenge: smart card error 6982: security status not satisfied
exit status 1

Update:

With Non Default Management Key (010203040506070801020304050607080102030405060708)

Error: verify pin: smart card error 63c2: verification failed

With Non Default PIN/PUK

step ca certificate --attestation-uri 'yubikey:slot-id=9a' --kms 'yubikey:?pin-value=987654' --provisioner acme-da 17634747 17634747.crt

Error: verify pin: smart card error 63c2: verification failed (2 retries remaining)

With Default PIN/PUK/Management Key all went well.

maraino commented 1 year ago

Hi @laamalif, have you tried passing the management-key attribute:

step kms create 'yubikey:slot-id=9a;management-key= 010203040506070801020304050607080102030405060708?pin-value=987654`

Note that the step-kms-plugin does not require the --kms flag. You can put everything in the same argument. This is not currently the case for step

adamcstephens commented 9 months ago

Adding the management fixed the problem for me. I had used yubikey-agent and it changed the management key.

maraino commented 9 months ago

Works as expected. Adding the management-key attribute fixes this.