Generate Certify Key
====================

.. warning::

  Page a tradire en francais...

.. warning::

   No Internet from now on

Introduction
------------

The primary key to generate is the Certify key, which will be used to issue Subkeys for encryption, signature and authentication operations.

The Certify key should be kept offline at all times and only accessed from a secure environment to revoke or issue Subkeys. Keys can also be generated on the YubiKey itself to avoid duplication, however for usability and durability reasons this guide recommends against doing so.

Generate a passphrase which will be needed throughout the guide to create Subkeys. The passphrase should be memorized or written down in a secure location, ideally separate from the portable storage device used for key material.

The passphrase is recommended to consist of only upper case letters and numbers for improved readability.


The following command will generate strong passphrases while avoiding ambiguous characters:

.. code-block::

   LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
       tr -d "1IOS5U" | fold -w 30 | head -n10 | \
       sed "-es/./ /"{1..26..5} | cut -c2- | tr " " "-"


Example output:

.. code-block::

   A4ZK-YRRJ-8WPM-82NY-CX9T-AGKT
   PH9Z-HFDX-QDB9-YMMC-GQZB-Z3EV
   EC3H-C42G-8E9K-VF7F-ZWT7-BTL6
   B3CA-QCCE-JMNE-VAZG-ZEYD-J3XP
   YKP4-M42X-4WWE-WEKR-C3J7-GZYF
   ZQWC-E7MN-M7CT-4Y4Z-9QFV-44VY
   KY4F-C83Q-BTYQ-V8EM-WGCR-DPZN
   GYWQ-WNAC-ERWM-XGAD-6XVD-ZCLD
   L8JL-EK8H-Z4ZF-MA93-NND8-FPKA
   WM2J-XF7L-QV6D-AWLY-Y2D8-4TQQ

Generate Certify
----------------

On lance gpg en mode expert

.. code-block::

   gpg --expert --full-generate-key

Voila la liste des commandes a suivre.

Deja on choisi ECC et on choisi la capaciter 'Certify' 

.. code-block::

   Please select what kind of key you want:
      (1) RSA and RSA
      (2) DSA and Elgamal
      (3) DSA (sign only)
      (4) RSA (sign only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
      (9) ECC (sign and encrypt) *default*
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (13) Existing key
     (14) Existing key from card
   Your selection? 11
   
   Possible actions for this ECC key: Sign Certify Authenticate
   Current allowed actions: Sign Certify
   
      (S) Toggle the sign capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? S
   
   Possible actions for this ECC key: Sign Certify Authenticate
   Current allowed actions: Certify
   
      (S) Toggle the sign capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? Q

Ensuite on choisi l'algorythme de chiffrement, personnelement je laisse l'option par defaut.

.. code-block::

   Please select which elliptic curve you want:
      (1) Curve 25519 *default*
      (2) Curve 448
      (3) NIST P-256
      (4) NIST P-384
      (5) NIST P-521
      (6) Brainpool P-256
      (7) Brainpool P-384
      (8) Brainpool P-512
      (9) secp256k1
   Your selection? 1

Et ensuite on dois choisir la date d'expiration, personnelement je choisi de facon indefini.

.. code-block::

   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 0
   Key does not expire at all
   Is this correct? (y/N) y

Et pour finir on choisi, les infos tel que le nom, l'email ou un commentaire.

.. code-block::

   GnuPG needs to construct a user ID to identify your key.
   
   Real name: YubiKey User
   Email address: yubikey@example
   Comment:
   You selected this USER-ID:
       "YubiKey User <yubikey@example>"
   
   Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.
   gpg: revocation certificate stored as '/Users/nicolas.boufidjeline/.gnupg/openpgp-revocs.d/3D98DEB92C1F530B076DA2CBE8091C4510077F5A.rev'
   public and secret key created and signed.
   
   pub   ed25519/0xE8091C4510077F5A 2024-02-18 [C]
         Key fingerprint = 3D98 DEB9 2C1F 530B 076D  A2CB E809 1C45 1007 7F5A
   uid                              YubiKey User <yubikey@example>

Puis on copy l'id de la clees et on l'export en variable d'environment

.. code-block::

   export KEYID=0xE8091C4510077F5A