Step 1 has you import an existing RSA private key or generate one on the device.
In step 2, you self-sign the certificate. As noted in the doc, “The only use for the x509 certificate is to satisfy the PIV/PKCS #11 lib”. You can skip this, per the note in step 1, if your key is already signed.
In future steps, when you’re SSHing with the pkcs11 library, it’s using the public/private components of that RSA key. The certificate (any certificate) has to exist because PKCS11 needs that to cleanly view the public key, but the actual cert metadata, including issuer, is fully unused. Importing a cert signed by a CA has no impact on the result.
On the OpenSSH side, their “CA” support does not create signed leaf x509 certificates. You trust a cert public key, and it signs an OpenSSH-specific representation of user/host public key. OpenSSH then has a special public key type for authenticating using that signed key. As such, PIV/PKCS11 keys, as far as I’m aware, cannot be used as part of OpenSSH’s “CA” support.
Step 1 has you import an existing RSA private key or generate one on the device.
In step 2, you self-sign the certificate. As noted in the doc, “The only use for the x509 certificate is to satisfy the PIV/PKCS #11 lib”. You can skip this, per the note in step 1, if your key is already signed.
In future steps, when you’re SSHing with the pkcs11 library, it’s using the public/private components of that RSA key. The certificate (any certificate) has to exist because PKCS11 needs that to cleanly view the public key, but the actual cert metadata, including issuer, is fully unused. Importing a cert signed by a CA has no impact on the result.
On the OpenSSH side, their “CA” support does not create signed leaf x509 certificates. You trust a cert public key, and it signs an OpenSSH-specific representation of user/host public key. OpenSSH then has a special public key type for authenticating using that signed key. As such, PIV/PKCS11 keys, as far as I’m aware, cannot be used as part of OpenSSH’s “CA” support.