⭕4. Certificates
This section explains how certificates in the PIV module are loaded and utilized.
Last updated
This section explains how certificates in the PIV module are loaded and utilized.
Last updated
This section explains the basics of how these features work, in-depth tutorials will be provided elsewhere for doing things like setting up Bitlocker, SSH, etc.
The main job of the PIV module on your Yubikey is to store PIV certificates. These certificates will give you access to do certain things.
In Yubikey Manager, select Applications and then PIV:
You will be shown an interface which gives you access to 4 main slots:
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login, SSH authentication, etc.
This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables
This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting e-mails or files.
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. It is also the slot used for Bitlocker encryption.
Each slot you click on gives you the same interface, with buttons to Generate, Import, Export, and Delete.
Each slot of the Yubikey's PIV module stores a certificate.
A certificate has two parts, the certificate itself, and a private / public keypair.
The certificate contains the public key and additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata.
The private key stays on your Yubikey.
The unique security feature about the Yubikey is that if you generate a certificate on the Yubikey using the Generate button, the private keys CANNOT be exported. Only the Yubikey you generated the keys on will have the private key associated to that certificate.
The Generate button does just that; it generates a new x509 certificate on your Yubikey for the slot you have selected. You can then select Export, and save the certificate somewhere on your computer in .pem or .crt format.
If you wish to generate your private / public keypair and actually have a copy of the private key that you can transfer between multiple Yubikeys, then you must generate it on the computer.
A few programs that can be used to generate the private / public keypair with the ability to export the private key:
To summarize:
If you generate the keypair on the Yubikey, you will be unable to export your private key.
If you generate the keypair using a program listed above, you will be able to export your private key and import it throughout multiple Yubikeys.
There will be tutorials in this guide on how to do things specifically. This is just a generalized explanation of how things work.
The import button allows you to import an already created certificate + keypair.
You can import files in the formats: .pem, .der, .pfx, .p12, .key, .crt
The export button allows you to export an already generated certificate + public key that is on the Yubikey.
You can export to the formats: .pem, .crt
The delete button does what you think it does. It deletes the certificate from a Yubikey PIV slot. It will be no more. You will have to generate a new certificate, or import your certificate back onto your Yubikey if you have a backup.
