Update SSH_with_PIV_and_PKCS11.adoc

add comment on 3072 and 4096 bit RSA keys requiring firmware 5.7+ Add comment about the default PIN as suggested in #74
Yubico · Jun 26, 2024 · 719fc82 · 719fc82
1 parent d6571bd
commit 719fc82
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/content/PIV/Guides/SSH_with_PIV_and_PKCS11.adoc b/content/PIV/Guides/SSH_with_PIV_and_PKCS11.adoc
@@ -10,7 +10,7 @@ This is a step-by-step guide on setting up a YubiKey with PIV to work for public
 OpenSC is no longer required, since we now have a functional PKCS #11 module, namely ykcs11.
 
 [NOTE]
-RSA 4096-bit keys are not currently supported due to a limitation in the PIV spec: https://github.com/Yubico/yubico-piv-tool/issues/58
+RSA 4096-bit and RSA 3072-bit keys require YubiKey firmware version 5.7 or later.
 
 [NOTE]
 We strongly recommend changing the management key; keeping the default management key is explicitly discouraged. The examples given in the following steps assume that you have not yet changed the management key. If you have changed the management key, add `--key` to the `yubico-piv-tool -a import-certificate` command below.
@@ -34,6 +34,9 @@ or *generate* the key:
 
   $ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
 
+[NOTE]
+This command will prompt for the PIV PIN. The default PIV PIN is 123456. You should change the default PIN before generating keys with `yubico-piv-tool -a change-pin`.
+
 *Step 3*: Load the certificate:
 
    $ yubico-piv-tool -a import-certificate -s 9a -i cert.pem