This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The following template has been configured for Digital Signatures in mind.
Copy C:\Program Files\Common Files\SSL\piv_name_9c.cnf
Copy oid_section = yubikey_oids
[ yubikey_oids ]
nameDistinguisher = 0.2.262.1.10.7.20
adobeSigning = 1.2.840.113583.1.1.5
adobeDigitcert = 2.16.840.1.114412.3.21
msofficeSigning = 1.3.6.1.4.1.311.10.3.12
msDocSigning = 1.3.6.1.4.1.311.3.10.3.12
docuEncrypt = 1.3.6.1.4.1.311.80.1
adobex509 = 1.2.840.113583.1.1.9
msAuthenticode = 1.3.6.1.4.1.311.2
msTimestamping = 1.3.6.1.4.1.311.3
gpgUsageSign = 1.3.6.1.4.1.11591.2.6.2
gpgUsageEncr = 1.3.6.1.4.1.11591.2.6.3
[ req ]
default_bits = 2048
default_keyfile = piv_sign_9c.pem
default_md = sha256
distinguished_name = yubikey_dn
x509_extensions = yubikey_ext
req_extensions = yubikey_ext
string_mask = MASK:0x2002
utf8 = yes
prompt = no
[ yubikey_dn ]
0.C = NA
1.S = NA
2.L = NA
3.O = Organization
4.OU = Organization Unit
5.CN = Your Common Name
6.emailAddress = email@address.com
7.GN = Your Given Name
8.title = Cert Title
9.description = Description about Cert
10.initials = ABC
11.serialNumber = 1234
[ sans ]
DNS.0 = localhost
DNS.1 = myexampleclient.com
[ yubikey_ext ]
basicConstraints = CA:false,pathlen:0
nsCertType = objsign, objCA
nsComment = "PIV Signature 9C"
subjectAltName = @sans
extendedKeyUsage = critical,codeSigning, timeStamping, msCodeInd, msCodeCom, msCTLSign, OCSPSigning, adobeSigning, adobeDigitcert, msofficeSigning, msDocSigning, docuEncrypt, adobex509, msAuthenticode, msTimestamping, gpgUsageSign, gpgUsageEncr
keyUsage = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign