diff --git a/08_ssh/SSH_CERTIFICATES.md b/08_ssh/SSH_CERTIFICATES.md
new file mode 100644
index 0000000..238404a
--- /dev/null
+++ b/08_ssh/SSH_CERTIFICATES.md
@@ -0,0 +1,103 @@
+# SSH CERTIFICATES
+
+Demonstrate how to use a SSH certificates rather than keys.  
+
+## Reason
+
+Keys never expire. Neither users nor hosts are forced to refresh their keys.
+
+### Run example
+
+The `nginx` container is not available on the network. We use the `ssh` server to allow access.  
+
+```sh
+# create keys
+mkdir -p ./ssh_server/keys
+ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 
+ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa 
+```
+
+Start the containers.
+
+```sh
+# start server
+docker compose up -d --build --force-recreate
+
+# quick test
+docker compose logs internalnginx  
+docker compose logs sshserver        
+docker compose logs caserver        
+```
+
+### Configure Certificate Authority
+
+```sh
+docker compose exec -it caserver /bin/bash
+
+
+
+
+```
+
+
+SSH to get access to `nginx`.  
+
+```sh
+# ssh onto server 
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0
+# curl against the nginx container
+curl 172.16.238.64:80
+```
+
+### 🧼 Cleanup
+
+```sh
+# bring it down and delete the volume
+docker compose down 
+```
+
+### Debugging and troubleshooting
+
+```sh
+docker compose exec -it sshserver /bin/bash
+
+# start ssh
+rsyslogd
+service ssh start
+nano /etc/ssh/sshd_config  
+service ssh restart
+
+passwd
+cat /root/.ssh/authorized_keys
+cat /var/log/auth.log
+
+#PasswordAuthentication yes
+#PermitEmptyPasswords yes
+#PermitRootLogin without-password
+
+# open connections (only rsa seems to work)
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0
+```
+
+
+## Resources
+
+https://www.devseccon.com/blog/3-reasons-to-use-ssh-certificates-instead-of-ssh-keys-secadvent-day-22
+
+
+https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39
+
+- If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/)
+
+
+https://www.reddit.com/r/devops/comments/s1zzz1/what_is_the_best_way_to_manage_ssh_identities_and/
+
+
+- Facebook: Scalable and secure access with SSH [here](https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/)
+
+
+
+
+/Users/chris.guest/Code/scratch/docker_build_examples/40_ssl_nginx
+
diff --git a/08_ssh/docker-compose.yaml b/08_ssh/docker-compose.yaml
new file mode 100644
index 0000000..6269407
--- /dev/null
+++ b/08_ssh/docker-compose.yaml
@@ -0,0 +1,30 @@
+services:
+    internalnginx:
+        image: nginx:1.21.1      
+        networks:
+            app_private_network:
+                ipv4_address: 172.16.238.64
+
+    sshserver:
+        build: 
+            context: ./ssh_server
+            dockerfile: ./Dockerfile.server
+        ports:
+            - 2822:22
+        networks:
+            app_private_network:
+                ipv4_address: 172.16.238.3
+
+    caserver:
+        build: 
+            context: ./ssh_server
+            dockerfile: ./Dockerfile.ca
+
+networks:
+    app_private_network:
+        ipam:
+            driver: default
+            config:
+                - subnet: "172.16.238.0/24"
+
+
diff --git a/08_ssh/ssh_server/.gitignore b/08_ssh/ssh_server/.gitignore
new file mode 100644
index 0000000..0bdfd49
--- /dev/null
+++ b/08_ssh/ssh_server/.gitignore
@@ -0,0 +1 @@
+keys
diff --git a/08_ssh/ssh_server/Dockerfile.ca b/08_ssh/ssh_server/Dockerfile.ca
new file mode 100644
index 0000000..4ad517e
--- /dev/null
+++ b/08_ssh/ssh_server/Dockerfile.ca
@@ -0,0 +1,52 @@
+# syntax=docker/dockerfile:1.4
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get install --no-install-recommends \
+        rsyslog \
+        openssh-server \
+        nano \
+        curl \
+        lsof \
+        iproute2 nmap \
+        iputils-ping -y \ 
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /scratch
+
+# NOTE: Escape the \$ otherwise they are rendered at buildtime
+COPY --chmod=755 <<EOF /bin/hold.sh
+#!/usr/bin/env bash
+
+echo "Holding..."
+
+function trap_hup_handler() {
+    echo "SIGHUP handler exiting"
+    exit $(( 128 + 1 ))
+}
+function trap_int_handler() {
+    echo "SIGINT handler exiting"
+    exit $(( 128 + 2 ))
+}
+function trap_quit_handler() {
+    echo "SIGQUIT handler exiting"
+    exit $(( 128 + 3 ))
+}
+function trap_term_handler() {
+    echo "SIGTERM handler exiting"
+    exit $(( 128 + 15 ))
+}
+
+trap trap_hup_handler SIGHUP
+trap trap_int_handler SIGINT
+trap trap_quit_handler SIGQUIT
+trap trap_term_handler SIGTERM
+
+rsyslogd
+service ssh start
+echo "Start sleep infinity"
+sleep infinity
+EOF
+
+
+CMD [ "/bin/bash", "-c", "/bin/hold.sh" ]
\ No newline at end of file
diff --git a/08_ssh/ssh_server/Dockerfile.server b/08_ssh/ssh_server/Dockerfile.server
new file mode 100644
index 0000000..904480a
--- /dev/null
+++ b/08_ssh/ssh_server/Dockerfile.server
@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:1.4
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get install --no-install-recommends \
+        rsyslog \
+        openssh-server \
+        nano \
+        curl \
+        lsof \
+        iproute2 nmap \
+        iputils-ping -y \ 
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /scratch
+
+# NOTE: Escape the \$ otherwise they are rendered at buildtime
+COPY --chmod=755 <<EOF /bin/hold.sh
+#!/usr/bin/env bash
+
+echo "Holding..."
+
+function trap_hup_handler() {
+    echo "SIGHUP handler exiting"
+    exit $(( 128 + 1 ))
+}
+function trap_int_handler() {
+    echo "SIGINT handler exiting"
+    exit $(( 128 + 2 ))
+}
+function trap_quit_handler() {
+    echo "SIGQUIT handler exiting"
+    exit $(( 128 + 3 ))
+}
+function trap_term_handler() {
+    echo "SIGTERM handler exiting"
+    exit $(( 128 + 15 ))
+}
+
+trap trap_hup_handler SIGHUP
+trap trap_int_handler SIGINT
+trap trap_quit_handler SIGQUIT
+trap trap_term_handler SIGTERM
+
+rsyslogd
+service ssh start
+echo "Start sleep infinity"
+sleep infinity
+EOF
+
+COPY keys/id_ed25519.pub /scratch/id_ed25519.pub 
+COPY keys/id_rsa.pub /scratch/id_rsa.pub 
+
+COPY --chmod=755 <<EOF /bin/preparekeys.sh
+mkdir -p /root/.ssh
+cat /scratch/id_ed25519.pub > /root/.ssh/authorized_keys
+cat /scratch/id_rsa.pub >> /root/.ssh/authorized_keys
+EOF
+
+RUN /bin/preparekeys.sh
+
+RUN chown -R root /root/.ssh/authorized_keys
+RUN chmod 644  /root/.ssh/authorized_keys
+
+CMD [ "/bin/bash", "-c", "/bin/hold.sh" ]
\ No newline at end of file
diff --git a/19_yubi/GIT_SSH.md b/19_yubi/GIT_SSH.md
new file mode 100644
index 0000000..2d3e1c8
--- /dev/null
+++ b/19_yubi/GIT_SSH.md
@@ -0,0 +1,23 @@
+# GIT SSH
+
+Goto [git-server/README.md](./git-server/README.md) and install a local server.  
+
+TODO:
+
+* gitea rsa key has to be 3072 key length
+
+## User SSH key
+
+```sh
+# copy thumbprint
+LIBYKCS11_PATH=$(realpath /usr/local/lib/libykcs11.dylib)
+LIBYKCS11_PATH=/home/linuxbrew/.linuxbrew/lib/libykcs11.so
+
+# copy the key to gitea
+ssh-keygen -D ${LIBYKCS11_PATH} -e | grep Signature 
+```
+
+
+## Resources
+
+* SSH key cannot be verified due to 2047 lengt [here](https://github.com/go-gitea/gitea/issues/20249)  
diff --git a/19_yubi/SSH_CERTIFICATES.md b/19_yubi/SSH_CERTIFICATES.md
new file mode 100644
index 0000000..18d90da
--- /dev/null
+++ b/19_yubi/SSH_CERTIFICATES.md
@@ -0,0 +1,154 @@
+# SSH CERTIFICATES
+
+The `nginx` container is not available on the network. We use the `ssh` server to allow access.  
+
+PIV - Personal Identity Verification - [What is PIV?](https://developers.yubico.com/PIV/)
+
+Ref: [08_SSH/README.md](../08_SSH/README.md)  
+Ref: [chrisguest75/docker_examples/39_ssh/README.md](https://github.com/chrisguest75/docker_examples/tree/master/39_ssh/README.md)  
+
+NOTES:
+
+* We first generate a Certificate Authority
+* "OpenSC is no longer required, since we now have a functional PKCS #11 module, namely ykcs11." [here](https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html)
+
+## Non-Apple SSL
+
+```sh
+export PATH=$(brew --prefix openssh)/bin:$PATH  
+```
+
+## Generate keys (non-yubi)
+
+```sh
+# OpenSSH_8.6p1, LibreSSL 3.3.6
+ssh -V 
+
+# create keys
+mkdir -p ./ssh_server/keys
+ssh-keygen -o -a 100 -t ed25519 -f ./ssh_server/keys/id_ed25519 
+ssh-keygen -o -a 100 -t rsa -f ./ssh_server/keys/id_rsa 
+
+cat ./ssh_server/keys/id_ed25519.pub > ./ssh_server/keys/nonyubi_authorized_keys
+cat ./ssh_server/keys/id_rsa.pub >> ./ssh_server/keys/nonyubi_authorized_keys
+
+
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_ed25519 -p 2822 root@0.0.0.0
+ssh -vvvv -o StrictHostKeyChecking=no -i ./ssh_server/keys/id_rsa -p 2822 root@0.0.0.0
+```
+
+## Generate certificates
+
+NOTE: An occupied slot on the Yubikey PIV interface usually contains a private key, a public key and an X509 certificate. The key pair generate, the certificate generation and the certificate import are done using different actions in the right order. REF: [Key Generation](https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html)
+
+Slots [here](https://developers.yubico.com/PIV/Introduction/Certificate_slots.html)  
+
+```sh
+ykman piv --help
+
+mkdir -p ./ssh_server/ca-keys
+mkdir -p ./ssh_server/keys
+
+# -N means no passphrase
+# -C means comment
+ssh-keygen -N '' -C user-ca -f ./ssh_server/ca-keys/ca
+sed 's/^/cert-authority /' ./ssh_server/ca-keys/ca.pub > ./ssh_server/ca-keys/authorized_keys
+
+# generate a key
+yubico-piv-tool -a generate -s 9c -A RSA2048 --pin-policy=never --touch-policy=always -o ./ssh_server/keys/public.pem
+
+# ERROR: ED25519 requires YubiKey 5.7 or later
+ykman piv keys generate --management-key 010203040506070801020304050607080102030405060708 --pin 123456 --algorithm ED25519 --touch-policy ALWAYS --format PEM 9c - 
+
+# when doing this you have to touch the key
+yubico-piv-tool -a selfsign-certificate -s 9c -S "/CN=SSH key/" -i ./ssh_server/keys/public.pem -o ./ssh_server/keys/cert.pem
+
+yubico-piv-tool -a import-certificate -s 9c -i ./ssh_server/keys/cert.pem
+
+#https://github.com/OpenSC/OpenSC/wiki/macOS-Quick-Start
+opensc-tool --name
+# the key needs pressing on 2nd PIN entry
+pkcs11-tool --login --test
+```
+
+## Test
+
+YubiKey thumbprint  
+
+```sh
+ykman piv keys info 9c
+ykman piv keys export --pin 123456 9c -
+
+
+
+mkdir -p ./ssh_server/keys
+export PATH=$(brew --prefix openssh)/bin:$PATH
+
+# copy thumbprint
+LIBYKCS11_PATH=$(realpath /usr/local/lib/libykcs11.dylib)
+LIBYKCS11_PATH=/home/linuxbrew/.linuxbrew/lib/libykcs11.so
+
+ssh-keygen -D ${LIBYKCS11_PATH} -e | grep Signature > ./ssh_server/keys/yubi_authorized_keys
+```
+
+Start the SSH server.  
+
+```sh
+docker compose -f ./docker-compose.ca.yubi.ssh.yaml up -d --build --force-recreate
+```
+
+Login with YubiKey  
+
+```sh
+ssh -vvvv -o StrictHostKeyChecking=no -I ${LIBYKCS11_PATH} -p 2822 root@0.0.0.0
+
+# once in ssh shell curl against the nginx container
+curl 172.16.238.64:80
+
+# THIS DOES NOT WORK
+ssh-add -s ${LIBYKCS11_PATH} 
+ssh-add -L 
+```
+
+### 🧼 Cleanup
+
+```sh
+# bring it down and delete the volume
+docker compose -f ./docker-compose.ca.yubi.ssh.yaml down 
+```
+
+### Debugging and troubleshooting
+
+```sh
+docker compose -f ./docker-compose.ca.yubi.ssh.yaml exec -it sshserver /bin/bash
+
+# start ssh
+rsyslogd
+service ssh start
+nano /etc/ssh/sshd_config  
+service ssh restart
+
+passwd
+cat /root/.ssh/authorized_keys
+cat /var/log/auth.log
+
+nano /root/.ssh/authorized_keys
+#PasswordAuthentication yes
+#PermitEmptyPasswords yes
+#PermitRootLogin without-password
+```
+
+## Resources
+
+* Using SSH User Certificates with PIV keys [here](https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html)
+* Method 2 - SSH using Yubikey and PIV [here](https://ultrabug.fr/en/Tech%20Blog/2017/2017-05-12-hardening-ssh-authentication-using-yubikey-22/)
+* https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html
+* Getting Started: SSH Authentication with a YubiKey as a Smart Card [here](https://developers.yubico.com/PIV/Guides/PIV_Walk-Through.html)
+* Getting PIV-based SSH working on a YubiKey [here](https://eta.st/2021/03/06/yubikey-5-piv.html)
+* yubikey-agent is a seamless ssh-agent for YubiKeys [here](https://github.com/FiloSottile/yubikey-agent)
+* Using your Yubikey to store your SSH Key (RSA 4096) [here](https://dev.to/paulmicheli/using-your-yubikey-to-store-your-ssh-key-rsa-4096-3pfl)
+* OpenSC [repo](https://github.com/OpenSC/OpenSC/wiki)
+* Yubikey PIV Certificate Slot Configuration [here](https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration)
+* Yubico PIV Tool [here](https://developers.yubico.com/yubico-piv-tool/)
+* If you’re not using SSH certificates you’re doing SSH wrong [here](https://smallstep.com/blog/use-ssh-certificates/)
+* https://debugging.works/blog/yubikey-cheatsheet/
\ No newline at end of file
diff --git a/19_yubi/SUBKEYS.md b/19_yubi/SUBKEYS.md
new file mode 100644
index 0000000..2a29082
--- /dev/null
+++ b/19_yubi/SUBKEYS.md
@@ -0,0 +1,95 @@
+# README
+
+TODO:
+
+- signing versus encryption versus authentication
+- create a master key on yubikey
+
+https://github.com/drduh/YubiKey-Guide#sub-keys
+
+
+## Generate
+
+```sh
+mkdir -p ./keys
+ssh-keygen -o -a 100 -t ed25519 -f ./keys/id_ed25519 
+ssh-keygen -o -a 100 -t rsa -f ./keys/id_rsa 
+```
+
+## Decode
+
+```sh
+openssl asn1parse -in ./keys/id_ed25519
+/usr/local/Cellar/openssl@3/3.0.5/bin/openssl asn1parse -strictpem -in ./keys/id_ed25519 --help
+```
+
+## Alice
+
+Build and run the container
+
+```sh
+# Build 
+docker build -t alice -f Dockerfile.alice .
+
+# run alice
+docker run -it --entrypoint /bin/sh alice
+```
+
+```sh
+# Batch it instead of `gpg --full-generate-key`
+# NOTE: passphrase
+cat >key-settings <<EOF
+     %echo Generating a basic OpenPGP key
+     Key-Type: DSA
+     Key-Length: 1024
+     Subkey-Type: ELG-E
+     Subkey-Length: 1024
+     Name-Real: Alice
+     Name-Comment: no-comment
+     Name-Email: alice@alice.com
+     Expire-Date: 1
+     Passphrase: alice
+     %commit
+     %echo done
+EOF
+
+gpg --batch --generate-key key-settings
+```
+
+```sh
+# Print out the key
+gpg --export --armor alice@alice.com
+```
+
+https://zach.codes/ultimate-yubikey-setup-guide/
+
+gpg --expert --full-gen-key
+
+gpg --expert --edit-key D16BDB0DF05845D6F36AF33506D08A272977452F
+
+addkey
+
+   (S) Toggle the sign capability
+   (E) Toggle the encrypt capability
+   (A) Toggle the authenticate capability
+
+
+
+## Resources
+
+
+https://blog.programster.org/gpg-subkeys
+
+
+https://blog.programster.org/generating-gpg-master-and-subkeys
+
+https://www.reddit.com/r/yubikey/comments/f77731/storing_gpg_master_key_on_a_separate_yubikey/
+
+https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP#Generating_Keys_externally_from_the_YubiKey_(Recommended)ui6vup
+
+
+
+https://wiki.debian.org/Subkeys
+
+https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
+
diff --git a/19_yubi/TODO.md b/19_yubi/TODO.md
new file mode 100644
index 0000000..44778c6
--- /dev/null
+++ b/19_yubi/TODO.md
@@ -0,0 +1,54 @@
+TODO:
+
+
+
+
+openssl asn1parse -in ./ssh_server/keys/id_rsa 
+openssl asn1parse -in ./ssh_server/keys/id_ed25519   
+openssl asn1parse -in ./ssh_server/resident-keys/id_ed25519-sk
+
+
+ssh-keygen -D $(realpath /usr/local/lib/libykcs11.dylib) -e 
+
+
+
+
+* Generate an SSH certificate
+* Upload a RSA4096 key onto yubikey
+* Upload a ED25519 key onto yubikey
+
+
+
+
+- working on wsl
+- git commit
+- git signing
+- associate to github
+- signing a text file
+- subkeys
+- docker build attestation
+- Check out the attestation.
+- Using kms as a root key
+- titan keys? https://support.google.com/titansecuritykey/answer/9148044?hl=en-GB
+- https://github.com/ixydo/gpg-smartcard-automation
+- Yubikey provisioning https://github.com/santiago-mooser/yubikey-provisioning-scripts
+
+* How to Store an SSH Key on a Yubikey  https://news.ycombinator.com/item?id=31556130
+
+Add support for security key/FIDO2-based ssh keys https://gitlab.com/gitlab-org/gitlab/-/issues/213259
+
+Security keys are now supported for SSH Git operations https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/
+
+
+ECDSA: The digital signature algorithm of a better internet https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet
+
+
+How secure is ed25519 compared to ecdsa or rsa for ssh keys? https://www.reddit.com/r/sysadmin/comments/hemawt/how_secure_is_ed25519_compared_to_ecdsa_or_rsa/
+
+
+
+https://blog.fraggod.net/2015/09/04/parsing-openssh-ed25519-keys-for-fun-and-profit.html
+
+
+
+