# 4. Certificates {% hint style="info" %} This section explains the basics of how these features work, in-depth tutorials will be provided elsewhere for doing things like setting up Bitlocker, SSH, etc. {% endhint %} The main job of the PIV module on your Yubikey is to store PIV certificates. These certificates will give you access to do certain things. ## ❊ Slots In Yubikey Manager, select **Applications** and then **PIV**:

You will be shown an interface which gives you access to 4 main slots:

Name	Slot	Description
Authentication	9A	This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login, SSH authentication, etc.
Digital Signature	9C	This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables
Key Management	9D	This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting e-mails or files.
Card Authentication	9E	This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. It is also the slot used for Bitlocker encryption.

Each slot you click on gives you the same interface, with buttons to **Generate**, **Import**, **Export**, and **Delete**. ## ❊ Generate Each slot of the Yubikey's PIV module stores a certificate. A **certificate** has two parts, the **certificate** itself, and a **private / public keypair**. The certificate contains the public key and additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata. The private key stays on your Yubikey. The unique security feature about the Yubikey is that if you generate a certificate on the Yubikey using the **Generate** button, the private keys CANNOT be exported. Only the Yubikey you generated the keys on will have the private key associated to that certificate. The **Generate** button does just that; it generates a new x509 certificate on your Yubikey for the slot you have selected. You can then select **Export**, and save the certificate somewhere on your computer in .pem or .crt format. If you wish to generate your private / public keypair and actually have a copy of the private key that you can transfer between multiple Yubikeys, then you must generate it on the computer. A few programs that can be used to generate the private / public keypair with the ability to export the private key:


XCA	https://hohnstaedt.de/xca/index.php/download
OpenSSL	https://www.openssl.org/source/

**To summarize:** If you generate the keypair on the Yubikey, **you will be unable** to export your private key. If you generate the keypair using a program listed above, **you will be able** to export your private key and import it throughout multiple Yubikeys. There will be tutorials in this guide on how to do things specifically. This is just a generalized explanation of how things work. ## ❊ Import The import button allows you to import an already created certificate + keypair. You can import files in the formats: .pem, .der, .pfx, .p12, .key, .crt ## ❊ Export The export button allows you to export an already generated certificate + public key that is on the Yubikey. You can export to the formats: .pem, .crt ## ❊ Delete The delete button does what you think it does. It deletes the certificate from a Yubikey PIV slot. It will be no more. You will have to generate a new certificate, or import your certificate back onto your Yubikey if you have a backup.