General
Yubico
Bitwarden
GPG Tools
Donate Coffee

🟣slot_9c.cnf

OpenSSL config template for Yubikey's PIV 9C Slot (Digital Signature).

The template below is just an example of how you can populate slot 9C. You can populate your PIV slots with whatever you deem appropriate.

This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The following template has been configured for Digital Signatures in mind.

CREATE FILE

C:\Program Files\Common Files\SSL\piv_name_9c.cnf

EXAMPLE CONFIG

oid_section         = yubikey_oids

[ yubikey_oids ]
nameDistinguisher   = 0.2.262.1.10.7.20
adobeSigning        = 1.2.840.113583.1.1.5
adobeDigitcert      = 2.16.840.1.114412.3.21
msofficeSigning     = 1.3.6.1.4.1.311.10.3.12
msDocSigning        = 1.3.6.1.4.1.311.3.10.3.12
docuEncrypt         = 1.3.6.1.4.1.311.80.1
adobex509           = 1.2.840.113583.1.1.9
msAuthenticode      = 1.3.6.1.4.1.311.2
msTimestamping      = 1.3.6.1.4.1.311.3
gpgUsageSign        = 1.3.6.1.4.1.11591.2.6.2
gpgUsageEncr        = 1.3.6.1.4.1.11591.2.6.3

[ req ]
default_bits        = 2048
default_keyfile     = piv_sign_9c.pem
default_md          = sha256
distinguished_name  = yubikey_dn
x509_extensions     = yubikey_ext
req_extensions      = yubikey_ext
string_mask         = MASK:0x2002
utf8                = yes
prompt              = no

[ yubikey_dn ]
0.C                 = NA
1.S                 = NA
2.L                 = NA
3.O                 = Organization
4.OU                = Organization Unit
5.CN                = Your Common Name
6.emailAddress      = email@address.com
7.GN                = Your Given Name
8.title             = Cert Title
9.description       = Description about Cert
10.initials         = ABC
11.serialNumber     = 1234

[ sans ]
DNS.0               = localhost
DNS.1               = myexampleclient.com

[ yubikey_ext ]
basicConstraints    = CA:false,pathlen:0
nsCertType          = objsign, objCA
nsComment           = "PIV Signature 9C"
subjectAltName      = @sans
extendedKeyUsage    = critical,codeSigning, timeStamping, msCodeInd, msCodeCom, msCTLSign, OCSPSigning, adobeSigning, adobeDigitcert, msofficeSigning, msDocSigning, docuEncrypt, adobex509, msAuthenticode, msTimestamping, gpgUsageSign, gpgUsageEncr
keyUsage            = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
Previousslot_9a.cnfNextslot_9d.cnf

Last updated