››

Utilizing Yubico 2FA

Introduction

Document Number

ENG-010624

Purpose

This document will describe how to use Yubikey secure Tokens as the 2^nd authentication element in a 2FA system. The Yubikey token generates OTP (One Time Passwords) that can be used for authentication. The Yubico secure tokens can be utilized in conjunction with any of the existing EMS or OLT authentication mechanisms.

Applies To

This applies to all OLTs and the Panorama EMS when running software release SR31.1 or above.

Definitions

2FA - Two-factor authentication. Authentication where the user is prompted to provide two authenticators to verify the identity of the user. Usually one is related to something you possess like a token, and the other is typically a password that is only known to that user. Authentication only proceeds if the user has the proper token and knows the proper password for the account. This helps provide more security.

OTP - One-Time Password. The Yubikey token generates One-Time Passwords that can be validated by the authenticator as being generated by a specific user’s token. The authenticator ensures that an OTP is never re-used or used out of order. The authenticator will fail to authenticate an OTP that it determines has been used before.

Yubikey Token - The USB stick that generates OTPs or One-Time Passwords

Yubikey TokenID - The unique identifier of the Yubikey token that appears in the first 12 characters of all OTPs.

Yubico Authentication Model

The diagram above documents the standard Yubico authentication model. These are the following components:

Yubico Client - The local application / driver that collects the OTP and forwards it to the Yubico Authentication server and enforces the result of authentication. It depends on the type of authentication being used whether this is needed.

Yubico Authentication Server - The Yubico Authentication server receives authentication requests and responds with a pass / fail result back to Yubico Authentication clients. The Yubico authentication server also records all used OTPs and checks to ensure the OTP has not been used before an that the OTP is not an older/stale OTP.

The typical sequence of authentication is as follows:

The user plugs in the Yubico FIPS token into the machine.
The user is prompted for username, password, and OTP. When the user presses and holds the button on the Yubikey token, it will put a One-Time Password (OTP) into the currently selected field. The local client will check the username to Yubikey binding to ensure the user matches what is configured on the OLT. It will then send the OTP to the authentication server.
The Yubikey client will pass the OTP to the Yubikey Authentication server via an encrypted path.
The Yubikey authentication server will validate that the OTP has not been used before, ensure that it is a newer OTP than the last one received, and return a result to the client if pass or fail.
If the OTP authentication result passes, the local authenticator at the OLT or EMS will then perform the normal username/password check via whatever mechanisms are in use. If both the username password and the Yubico OTP pass, the user will be allowed access to the resource.

EMS Yubico Authentication

The two-factor authentication feature is enabled as a method for the Panorama PON Server to grant users access only after successfully presenting two pieces of evidence to the authentication mechanism. One piece is the traditional user and password, the other is provided by a Yubikey OTP. Each Yubikey token is bound to a single EMS user and users cannot share a key. All users are required to have a Yubikey token prior to enabling Yubikey support.

By default, Panorama PON is configured to use the Yubico proprietary YUBICLOUD server. In addition, a Validation Server is made available via Panorama PON's HTTPS Server. Additional configuration is required, if the Panorama PON OTP Validation Server (POVS) is required, typically when internet access (and or the YUBICLOUD server) is not available. The recommended mechanism is to use the EMS-hosted Yubikey Authentication Server (POVS) as it will continue to work even when connectivity to the internet is lost. YUBICLOUD authentication requires internet access to access the cloud-based Yubikey authentication server.

Yubikeys have two slots available. The first slot is already configured to function with YUBICLOUD and is activated with the Yubikey short button press (1-2) seconds. Slot two is activated via the long button press. The user should simply hold down the button on the Yubikey until an OTP comes out on the screen. The second slot is typically configured for use with an external (non YUBICLOUD) server.

The second slot will need to be reprogrammed, and the private key registered with the Authentication Server.

The following section shows what the 2FA login screen will look like for the EMS:

The user will be prompted for the username, password, and One Time Password (OTP).

When entering the OTP, place the cursor into the One-time Password field, then hold down the button on the Yubikey until the Yubikey fills in the One-time password field. If all three fields are valid, then the user will be allowed into the system. If any of the three fields are in error, the user will not be allowed access to the EMS.

Setting up the EMS for 2FA with Yubikey OTP

The following section will detail the steps to set up the EMS for 2 factor authentication using the Yubikey OTP.

The steps for setting Yubico authentication are:

Enable Panorama OTP Validation Server (POVS)
Register all the Yubikey tokens with the validation server.
Validate each Key to ensure it is properly registered with the server
Bind each Yubikey token to a user
Enable 2FA on the EMS
Restart the EMS Server
Restart the EMS client

Enable the Panorama OTP Validation Server (POVS)

The validation server is a process in the EMS server that performs Yubikey validations. This server simply validates whether a Yubikey token is known and whether an OTP given to it is valid for a given token, hasn’t been used before, and is in sequence. This server is not started by default and must be manually started.

Open Windows CMD Shell with elevated privileges (i.e. as administrator)

cd %EMS_HOME%server

OTPMgr.bat

You are presented with the following menu after entering a Panorama PON Administrator's credentials;

To enable POVS, select menu item 8 (Local OTP Verification Server Menu). You are presented with the following menu options:

Select item 1, Enable Local OTP.

The user should see that the Local OTP Validation has been enabled, and the default Yubicloud OTP validation was disabled. It is required to restart the EMS for this change to take effect.

The next step is to register Yubico tokens to the POVS Panorama OTP Validation Server.

Registration of youbikeys should not be attemped until 2fa is enabled as defined in the step above and the EMS has been rebooted.

If using POVS, the yubikey slot 2 needs to be configured and registered. To configure the yubikey, administrators must download and run the YubiKey Personalization Tool.

https://www.yubico.com/products/services-software/personalization-tools/use/

The user will be presented with the following interface:

Select Yubico OTP Mode.

Click on Quick. The user is presented with the following Dialog:

Select Configuration slot 2, then press regenerate. This is needed to generate a new secret key that is needed to register the Yubico token to the authentication server. This is the only time and only way a secret key can be obtained. Once written, it can never be viewed again.

Care should be taken to protect the private key. This must be guarded very carefully. It should simply be used to register the token, then it should be discarded, and no record should be kept of it unless the key is used with multiple authenticators. A bad actor with a private key can compromise the system.

Save the private key to the cut/paste buffer or in a temp text file. Then press Write configuration to write the keys to the Yubikey token.

Ensure that the user presses the Write Configuration button to write the private key back into the Yubico token. Failing to do this will result in bad OTP when the token is tested.

Go back to the OTP manager application and select option 3, Register OTP Key.

Paste in the private key that was saved from the Yubico personalization tool when prompted as below.

Enter the AES/Secret Key in Hex format:

Paste in the Secret key. Then discard the key.

Plug in the Yubico token, and when the EMS Prompts with:

Enter the OTP:

Do a long press on the Yubikey. The token private key and public key is now securely stored in the authentication server and can be used for authentication.

Configuring User/Key Associations

This step should only be used for associating EMS usernames with EMS logins. This step can be skipped for olt users. OLT users only need to register the key but do not need to associate a username. This is done at the OLT. When used for EMS authentication Yubikeys need to be associated with specific users and must be unique. That is, each Panorama PON user is assigned (and associated with) a different Yubikey token. To associate a user with a Yubikey, use the OTPMgr.

Enter the username to associate the key with. Then at the Enter the OTP prompt, do a long press on the Yubico Token. Look to ensure that the token ID is repeated with the OK indication which indicates the Token to user association was accepted into the database. This binds the token to a specific user in the EMS. Repeat this for every user of the EMS. Please note that users cannot share keys.

The key to user bindings can be viewed using the menu item 5. Since this displays the public key, there is no security concerns with displaying this information.

Key bindings can be added or deleted using the menu items create / modify / delete.

You can re-validate a key binding using item 4. If you need to re-validate a key binding and are using POVS, the Panorama PON Http Server must be running. If you need to re-validate a key binding and are using Yubicloud, the Panorama PON Http Server does not need to be running.

When prompted with Enter the OTP, do a long press on the Yubico token button and if the binding is valid, you should see the key repeated with OK after it. This indicates the validation was successful, and the key is ready for use. It is a good idea to do this validation to ensure any problems with login are not due to the Yubico token setup.

Enable Yubico 2FA in the EMS

Once all users have an associated Yubikey token, the Yubikey 2FA can be enabled.
To enable 2FA, refer to the OTPMgr menu above. Select menu item 6 (Enable 2FA). Panorama PON (all of the services) must be restarted for the changes to take effect.

Note: All of the Panorama PON users must have user/key associations before 2FA can be enabled.

The user must stop and restart the Panorama PON Server before the changes will take effect. Use menu items 10 and 11 to accomplish this.

At this point the EMS will begin prompting for username, password, and Yubico OTP.

When, entering the One Time Password in the EMS, put the cursor in the One Time Password and do a long press of the button on the Yubikey.

Utilizing the Yubico cloud Authenticator for EMS logins

Note: It is not recommended to use the Yubico cloud authenticator as it requires web access to the Yubico cloud and if access is interrupted to the cloud authenticator, no access to the system is possible until the security admin disables Yubico 2FA.]

The Yubico Cloud is configured much the same as the POVs, with one exception. The Panorama OTP Validation Server is disabled. This will force all authentication on the EMS for 2FA through the Yubico cloud server.

Option 8 on the main menu of the OTP configuration script will bring up the Local OTP Verification Server Menu.

Then press 2 to ensure the Local OTP server is disabled.

Ensure the user always uses the short press (1-2 seconds) to get OTP slot 1 which has the public/private key which is registered at the time of manufacture with the Yubico cloud server.

All other steps are the same.

OLT Yubico Authentication

The OLT also supports Yubico Authentication, utilizing Yubico 2-Factor authentication using Yubico OTP (One-Time Passwords). The OLT must be configured to utilize the Yubico OTP in a manner very similar to the EMS.

The steps are as follows:

Register the Yubico Tokens with the Panorama OTP Validation Server (POVS)
Configure Trust Anchor to use for Authentication Link
Configure the Yubikey URL for authentication
Configure the Authentication Server IP
Configure the Authentication Server ID
Reboot
Configure User to Yubico Token Associations
Enable Yubikey 2FA on OLT
Login using 2FA on the OLT

Note: It should be noted that all of the Yubikey setup can ONLY be done by a user with the sec-admin or security administrator role on the OLT

Note: The EMS is the authenticator for all tokens both for the OLT and the EMS. All tokens should first be registered with the Yubico Authentication server embedded in the EMS using the procedure shown above in the section Register Yubico Tokens. It is not necessary to associate a user at the EMS, only to register the key associated with the OLT user.

It should be noted that Tokens can be registered with the EMS, and then used for the same user on the EMS and CLI. The user binding is held in each authentication client and therefore a single token can be used to log the user into either the EMS or the OLT.

Configure Trust Anchor to use for Authentication

The link to the authentication server must be secured by a certificate. The trust anchor for that certificate must be stored in the Yubico authentication client. If a site-specific certificate has be placed on the EMS, the trust anchor should be used. Otherwise the default Tellabs certificate can be used for this purpose.

The default trust anchor to be utilized when using the EMS POVS can be found in the following folder:

C:TellabsPanoramaPONbbmgrserverdataAuthenticationControllerems_anchor.pem

It is also posted on the AppNote in the same section as this document.

Then log into the OLT ssh session as a certificate admin user. This function can only be done by a user of that type. Normal users cannot perform this function.

ESU2 ne security> yubikey cfg cert terminal

Enter the Yubikey Trust Anchor Certificate(s) below(optional): (Hit Ctrl-D when finished, or Ctrl-C to cancel)

-----BEGIN CERTIFICATE-----

MIIDLTCCAhWgAwIBAgIIH8+iQbT8SCswDQYJKoZIhvcNAQELBQAwJDEQMA4GA1UE

AwwHdGVsbGFiczEQMA4GA1UECgwHdGVsbGFiczAeFw0xODA1MTgxNDQ4MzlaFw0z

MDA1MTcwMTAwMDBaMCQxEDAOBgNVBAMMB3RlbGxhYnMxEDAOBgNVBAoMB3RlbGxh

YnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChLQpk9OyVKIGbReaC

F/iEdMxRvekhaVmAXmDhpPWL43vnbDa+5si9MdgfRa2ZtvacF/NQBB/zjqd4pKRm

ORsI7OfiQr0w7zscHVgUKEBJBQiNR8ROWNyL3OAzFEv5d8Ar0YHaZl3weUP+9OGE

HlLPVx8SdWtQFnEszzg2tg5PpKZNbUdz1iOWyU1TCyuGYOO7SOXY+5rbepBl5rGA

8Ruuo8jy2dOakwdxJ9/aU6+bLkrdrk44aFa24NmWlPx868VZOp7h1hMItiyeew8h

ia1mrcGaAMan6dmjHFzO+SEmKGyyWDCMBs8t5PqxA9J3Mwd0RiNiUv1fXVXnNoEN

L1wjAgMBAAGjYzBhMB0GA1UdDgQWBBTjBfbzv1Ha22Ku7C+pMnAoyeZPJDAPBgNV

HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFOMF9vO/UdrbYq7sL6kycCjJ5k8kMA4G

A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEANAJyJxom7VoKDHDvPgY2

GH6fdMc9BgnO1Mnxk8m6CcnoFOA16C1nJImwBrZYF8+9flo+5C3VzzQMe1MsULXr

TPX502w0cOMXRM/gq+HnosjFnR36bC4PPdzvAJnttfx88KfuBQVgT85iMpf2VcT5

nhNqnYnf/5re/Jr5VaCFubX5pvnrndjWBoNTIQSM78SebJcyRtDBH0PRBkZEtqM0

iu9mIsjPvwzc97lBVhvuoRTL9jtRZVchDnMIXKuJ3PcBRXQu5747IjVwlKKrK7Z4

NiZv5p/cto5L2wYyxnHrXPnlPIRvxptJBb778OUz1t8tY1j51esPFQZFKsL3k+Th

PA==

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDNjCCAh6gAwIBAgIIISK94XirYJMwDQYJKoZIhvcNAQELBQAwJDEQMA4GA1UE

AwwHdGVsbGFiczEQMA4GA1UECgwHdGVsbGFiczAeFw0xODA1MTgyMTI4MTBaFw0z

MDA1MTcwMTAwMDBaMC0xDDAKBgNVBAMMA2VtczEQMA4GA1UECgwHdGVsbGFiczEL

MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6n6gF

WqrdC6SegIJMMmQwoPh4O9ao+fi57vO3XVT2RW5ScxvNDZh9NDBrIHPA95RdlUwU

uMnSxsdPSS27exVtFCpYUyBVC07sxHlPjhZvqeOVTqEXFBX+5YFbwwFLErODlmPn

LBo25XjxtpWRndQ9BwEs2ogR0By3rnfZsfaAXLFVZk5zppDZLrBlLvcuwcitZeym

G3r2FHEVeMUrpW5pW5oWSkov/7K8AwC9b9S/wWCzvQgAzmz/3JDtd+2b7K4i93nC

0pFcZMXe1cvTkdgGbNP9H7i2uPVf9XBsz/cat44A5ACTsNF1JDa5gLt+PAiFVI2g

dtz3lwwiXGE7pyArAgMBAAGjYzBhMB0GA1UdDgQWBBRP8FpW9Qirl5px4ZicJ8+s

PFnRPjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFOMF9vO/UdrbYq7sL6ky

cCjJ5k8kMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAHeJVLPzR

h02ntxojZCx1v36A0gTZXpc55rDrGXpsHOJ94pAF7xJJM8yXwUmetwzooJmeDFMl

3v9JsyavAN/7ZBDEsOmrzhFB/5zmhQL6Q01laQu2co1ugTkzNt14edxSEe2r/4Nn

+ij8n5tpRNodt0wCVq/mbNXNFbYRQ5IKpTQXmvoQrEuxib/NinftyUAHTFvpjHYX

OHPYq/jDo1+2DHAB7Pt3FFEISbz1g23vmCEWu70OkdBXe/82EBwnYFZsUSOSSpl7

34wC3XiP+STu51nmqi04ZB696b/bQMyKYeZOV6lG51TneJzkM+s3DOr8wCZ4kkX4

zA8/+IRGX+wR5A==

-----END CERTIFICATE-----

The user can validate it was accepted by issuing the following command:

ne security yubikey show cert

Configure the server hostname

The user needs to configure the hostname of the EMS server which will serve as the Yubikey authenticator.

ESU2 ne security> yubikey cfg host terminal

Enter the Yubikey server hostname: (Hit Ctrl-D when finished, or Ctrl-C to cancel)

eliot

Configure the EMS IP address

The IP address of the EMS must be configured via the following command:

ESU2 ne security> yubikey cfg ip terminal

Enter the Authentication Server IP below: (Hit Ctrl-D when finished, or Ctrl-C to cancel)

172.28.138.40

The user can verify the configured IP as follows:

ESU32> ne security yubikey show ip

172.28.125.130

After setting the IP you need to reboot or switch the ESU to protection to ensure that the host table entry gets written out.

Configure User / Key Associations

All of the users now need to bind their tokens to their CLI username using the command shown below:

ESU2 ne security> yubikey edit user=secadmin terminal

Enter the Yubikey Token ID below: (Hit Ctrl-D when finished, or Ctrl-C to cancel)

vvjbiggfgvrgndknhvudlvnntnhtdinkehhurkjbblin

Use the command:

Yubikey edit user=<username> terminal

When prompted to enter the Yubikey Token ID, simply do a long press on the Yubikey. It will output a valid OTP. The first 12 characters of the OTP is the public key which is used to bind the user to the token.

The user can list the binding for each user using the Yubikey show command as follows:

ESU2 ne security> yubikey show user=admin

admin : vvjbiggfgvrg.

Show all yubikey associations and public keys as follows:

ESU2 ne security> yubikey show users

admin : vvjbiggfgvrg

craftly : vvjbiggfgvrg

secadmin : vvjbiggfgvrg.

Enable Yubico 2FA on the OLT

The next step is to enable Yubico 2FA on the OLT. The system will not allow enabling of 2FA unless all users in the user database have a user to Yubikey token binding.

ESU2 ne security> yubikey edit admin=enabled

admin=enabled

Found secure admin: secadmin

secureAdmin=secadmin

Admin enabled

The following command enables Yubico 2FA on the OLT:

ne security Yubikey edit admin=enabled.

The command can only be issued by a user with the Security Admin (sec-admin role). Once the command is enabled, users will be forced to ssh using Yubico 2FA.

Logging into OLT using Yubico 2FA

The procedure for logging into the OLT differs slightly with SR31.1 in order to accommodate the Yubico 2FA. The user must use the keyboard interactive mode when logging in.

The user will then be prompted for the Yubikey OTP.

Do a long press on the Yubikey Token which will send the OTP assigned to slot two in the Yubikey.

The user will then be prompted for the user’s password:

If a valid username is entered, a valid OTP for that user, and the correct password for that user, access is allowed. Otherwise, access is denied.

If the Yubico server is not available, all SSH access will be denied. The serial port can still be used to access the system.

If using Putty, it will automatically detect the keyboard interactive mode, and the user will be prompted as follows:

At the login as: prompt, enter your username.

At the YubiKey for: <username> prompt, do a long press on the Yubikey button.

At the password prompt: enter your password.

If all three are correct, the user will be allowed access. If any of the three are incorrect, no access will be granted.

Deleting Existing Users

A user can be deleted via the following command:

ESU2 ne security> yubikey delete user=fred

Username fred deleted

Deleting an Anchor Certificate

The anchor certificates can be deleted from the OLT as follows, please note that this will disable yubikey as these certificates are needed to authenticate transactions:

ESU2 ne security> yubikey delete cert

Yubikey mode is disabled

Using Yubico Cloud Authenticator

Note: Panorama OTP Authentication Server (POVS) is the preferred method for authentication. The Yubico cloud authenticator can be used but is not recommended as it would not be available if internet access is not available and you would have to resort to using the serial port.

To utilize the Yubico Cloud Authenticator the following steps should be followed:

Set the URL to the Yubico Cloud Authenticator
Add the IP of the Yubico Cloud Authenticator
Set the ID to 16 which is the default for the Cloud Authenticator.
Enable the 2FA service.

To set the URL to point to the Yubico Cloud Authenticator, set the url as follows:

Ping the address api-yubico.com, add the IP address of the Yubico Cloud authenticator.

A user can verify the IP and URL with the following commands.

Set the Yubikey application ID to 16 which is the default used by the Yubico Cloud Authenticator.

ne security Yubikey cfg id=16

Configure the User to Yubico Token Associations and Enable 2FA on the OLT as shown above. You should be able to log in using the Yubikey token via the Yubico cloud authenticator.

If the user has any issues, make sure the user can ping the Yubico server at api.yubico.com to validate IP connectivity to the site.

Note: Ensure that the user uses SHORT presses for 1-2 seconds so that the Yubikey will use the slot 1 credential to create the OTP. This slot is already entered into the Yubikey database at the time of manufacturing and therefore is already known by the Yubico cloud authenticator.

Yubikey Debug

The OLT also supports several CLI commands for debugging the current configuration of Yubikey.

The trust anchor certificates that allow trust of the EMS Yubikey validator can be displayed:

ESU2 ne security> yubikey debug certfull

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

1f:cf:a2:41:b4:fc:48:2b

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=tellabs, O=tellabs

Validity

Not Before: May 18 14:48:39 2018 GMT

Not After : May 17 01:00:00 2030 GMT

Subject: CN=tellabs, O=tellabs

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:a1:2d:0a:64:f4:ec:95:28:81:9b:45:e6:82:17:

f8:84:74:cc:51:bd:e9:21:69:59:80:5e:60:e1:a4:

f5:8b:e3:7b:e7:6c:36:be:e6:c8:bd:31:d8:1f:45:

ad:99:b6:f6:9c:17:f3:50:04:1f:f3:8e:a7:78:a4:

a4:66:39:1b:08:ec:e7:e2:42:bd:30:ef:3b:1c:1d:

58:14:28:40:49:05:08:8d:47:c4:4e:58:dc:8b:dc:

e0:33:14:4b:f9:77:c0:2b:d1:81:da:66:5d:f0:79:

43:fe:f4:e1:84:1e:52:cf:57:1f:12:75:6b:50:16:

71:2c:cf:38:36:b6:0e:4f:a4:a6:4d:6d:47:73:d6:

23:96:c9:4d:53:0b:2b:86:60:e3:bb:48:e5:d8:fb:

9a:db:7a:90:65:e6:b1:80:f1:1b:ae:a3:c8:f2:d9:

d3:9a:93:07:71:27:df:da:53:af:9b:2e:4a:dd:ae:

4e:38:68:56:b6:e0:d9:96:94:fc:7c:eb:c5:59:3a:

9e:e1:d6:13:08:b6:2c:9e:7b:0f:21:89:ad:66:ad:

c1:9a:00:c6:a7:e9:d9:a3:1c:5c:ce:f9:21:26:28:

6c:b2:58:30:8c:06:cf:2d:e4:fa:b1:03:d2:77:33:

07:74:46:23:62:52:fd:5f:5d:55:e7:36:81:0d:2f:

5c:23

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

E3:05:F6:F3:BF:51:DA:DB:62:AE:EC:2F:A9:32:70:28:C9:E6:4F:24

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Authority Key Identifier:

keyid:E3:05:F6:F3:BF:51:DA:DB:62:AE:EC:2F:A9:32:70:28:C9:E6:4F:24

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: sha256WithRSAEncryption

34:02:72:27:1a:26:ed:5a:0a:0c:70:ef:3e:06:36:18:7e:9f:

74:c7:3d:06:09:ce:d4:c9:f1:93:c9:ba:09:c9:e8:14:e0:35:

e8:2d:67:24:89:b0:06:b6:58:17:cf:bd:7e:5a:3e:e4:2d:d5:

cf:34:0c:7b:53:2c:50:b5:eb:4c:f5:f9:d3:6c:34:70:e3:17:

44:cf:e0:ab:e1:e7:a2:c8:c5:9d:1d:fa:6c:2e:0f:3d:dc:ef:

00:99:ed:b5:fc:7c:f0:a7:ee:05:05:60:4f:ce:62:32:97:f6:

55:c4:f9:9e:13:6a:9d:89:df:ff:9a:de:fc:9a:f9:55:a0:85:

b9:b5:f9:a6:f9:eb:9d:d8:d6:06:83:53:21:04:8c:ef:c4:9e:

6c:97:32:46:d0:c1:1f:43:d1:06:46:44:b6:a3:34:8a:ef:66:

22:c8:cf:bf:0c:dc:f7:b9:41:56:1b:ee:a1:14:cb:f6:3b:51:

65:57:21:0e:73:08:5c:ab:89:dc:f7:01:45:74:2e:e7:be:3b:

22:35:70:94:a2:ab:2b:b6:78:36:26:6f:e6:9f:dc:b6:8e:4b:

db:06:32:c6:71:eb:5c:f9:e5:3c:84:6f:c6:9b:49:05:be:fb:

f0:e5:33:d6:df:2d:63:58:f9:d5:eb:0f:15:06:45:2a:c2:f7:

93:e4:e1:3c

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

21:22:bd:e1:78:ab:60:93

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN=tellabs, O=tellabs

Validity

Not Before: May 18 21:28:10 2018 GMT

Not After : May 17 01:00:00 2030 GMT

Subject: CN=ems, O=tellabs, C=US

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ba:9f:a8:05:5a:aa:dd:0b:a4:9e:80:82:4c:32:

64:30:a0:f8:78:3b:d6:a8:f9:f8:b9:ee:f3:b7:5d:

54:f6:45:6e:52:73:1b:cd:0d:98:7d:34:30:6b:20:

73:c0:f7:94:5d:95:4c:14:b8:c9:d2:c6:c7:4f:49:

2d:bb:7b:15:6d:14:2a:58:53:20:55:0b:4e:ec:c4:

79:4f:8e:16:6f:a9:e3:95:4e:a1:17:14:15:fe:e5:

81:5b:c3:01:4b:12:b3:83:96:63:e7:2c:1a:36:e5:

78:f1:b6:95:91:9d:d4:3d:07:01:2c:da:88:11:d0:

1c:b7:ae:77:d9:b1:f6:80:5c:b1:55:66:4e:73:a6:

90:d9:2e:b0:65:2e:f7:2e:c1:c8:ad:65:ec:a6:1b:

7a:f6:14:71:15:78:c5:2b:a5:6e:69:5b:9a:16:4a:

4a:2f:ff:b2:bc:03:00:bd:6f:d4:bf:c1:60:b3:bd:

08:00:ce:6c:ff:dc:90:ed:77:ed:9b:ec:ae:22:f7:

79:c2:d2:91:5c:64:c5:de:d5:cb:d3:91:d8:06:6c:

d3:fd:1f:b8:b6:b8:f5:5f:f5:70:6c:cf:f7:1a:b7:

8e:00:e4:00:93:b0:d1:75:24:36:b9:80:bb:7e:3c:

08:85:54:8d:a0:76:dc:f7:97:0c:22:5c:61:3b:a7:

20:2b

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

4F:F0:5A:56:F5:08:AB:97:9A:71:E1:98:9C:27:CF:AC:3C:59:D1:3E

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Authority Key Identifier:

keyid:E3:05:F6:F3:BF:51:DA:DB:62:AE:EC:2F:A9:32:70:28:C9:E6:4F:24

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

Signature Algorithm: sha256WithRSAEncryption

1d:e2:55:2c:fc:d1:87:4d:a7:b7:1a:23:64:2c:75:bf:7e:80:

d2:04:d9:5e:97:39:e6:b0:eb:19:7a:6c:1c:e2:7d:e2:90:05:

ef:12:49:33:cc:97:c1:49:9e:b7:0c:e8:a0:99:9e:0c:53:25:

de:ff:49:b3:26:af:00:df:fb:64:10:c4:b0:e9:ab:ce:11:41:

ff:9c:e6:85:02:fa:43:4d:65:69:0b:b6:72:8d:6e:81:39:33:

36:dd:78:79:dc:52:11:ed:ab:ff:83:67:fa:28:fc:9f:9b:69:

44:da:1d:b7:4c:02:56:af:e6:6c:d5:cd:15:b6:11:43:92:0a:

a5:34:17:9a:fa:10:ac:4b:b1:89:bf:cd:8a:77:ed:c9:40:07:

4c:5b:e9:8c:76:17:38:73:d8:ab:f8:c3:a3:5f:b6:0c:70:01:

ec:fb:77:14:51:08:49:bc:f5:83:6d:ef:98:21:16:bb:bd:0e:

91:d0:57:7b:ff:36:10:1c:27:60:56:6c:51:23:92:4a:99:7b:

df:8c:02:dd:78:8f:f9:24:ee:e7:59:e6:aa:2d:38:64:1e:bd:

e9:bf:db:40:cc:8a:61:e6:4e:57:a9:46:e7:54:e7:78:9c:e4:

33:eb:37:0c:ea:fc:c0:26:78:92:45:f8:cc:0f:3f:f8:84:46:

5f:ec:11:e4

Display of just the certificate subject name and issuer is also supported:

ESU2 ne security> yubikey debug certsum

subject=/CN=tellabs/O=tellabs

issuer=/CN=tellabs/O=tellabs

subject=/CN=ems/O=tellabs/C=US

issuer=/CN=tellabs/O=tellabs

The yubikey debug also supports a configuration check:

ESU2 ne security> yubikey debug check

The Secure Admin: secadmin has a configured yubikey.

Yubikey server URL...

https://eliot:8055/otp-verify/verify

Yubikey server cert...