⭕9C
PIV: Digital Signature
Last updated
PIV: Digital Signature
Last updated
This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The main purpose of the slot 9C key is for signing documents or programs with a digital signature.
PIN POLICY: PIN must be submitted every time immediately before a sign operation. PIN is not cached or remembered. PIN policy can only be changed for a slot if PIV certificate imported using ykman command-line.
The instructions on this page are used for the tutorial .
In the code below, you may edit the values in the [ yubikey_dn ]
section and specify your own values. For a list of references about the abbresviations below, please review the Distinguished Name list.
Copy the following config file to
C:\Program Files\Common Files\SSL\piv_slot_9c.cnf
If you are creating a PIV certificate specifically for Digital Signatures, don't change anything in the [ yubikey_extensions ]
block.
In the commands below, make sure to change the filenames and parameters to your own. In our examples, we like to name the files after the slot we're going to import them into on the yubikey such as piv_name_9c_priv
Priv
= Private key
Pub
= Public key
9C
signifies the Yubikey PIV slot we'll be importing our certificate into.
Before getting started, create you a new folder where you will run all these commands and setup the following structure by creating the following files all in the same directory:
An OpenSSL cert + private key can be generated using the following command:
-new
Generates new certificate request. Prompts user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in config file.
If -key
option not used, it will generate a new RSA private key using information specified in the configuration file.
-x509
Outputs self signed certificate instead of certificate request. Unless specified using the set_serial option, a large random number will be used for the serial number. If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.
-sha256
Specifies digest to sign the request with (such as -md5, -sha1).
Some public key algorithms may override this choice. Such as DSA signatures always use SHA1.
-days
Requires -x509
. Specifies number of days to certify for. The default is 30 days.
-config
Load alternative config. Oerrides the compile time filename or any specified in the OPENSSL_CONF environment variable.
-keyout
Gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.
-out
The output filename to write to or standard output by default.
Merge your new private key and certificate together into a .pfx
You will be prompted to provide a passphrase to execute the file.
Keep this file safe. and away from others.
-export
Specifies that a PKCS#12 file will be created rather than parsed.
-in
Filename to read certificates and private keys from. Must all be in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file.
-inkey
File to read private key from. If not present then a private key must be present in the input file.
-out
Specifies filename to write the PKCS#12 file to. Standard output is used by default.
-in
This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
-nodes
Stands for "No DES" don't encrypt the private keys at all.
-out
The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
You can skip the steps for Create Private Key, this was done in the first command. These are here in case you need to create more.
The following can generate a private encrypted
key from your PFX file.
-in
This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
-out
The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
-nocerts
No certificates at all will be output.
To generate your OpenSSH key, you must ensure that the permissions on your pem file are properly set. This means that you must right-click on this file, go to the Security
tab, and make sure Inheritance
is disabled.
-y
This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
-f
Specifies the filename of the key file.
Export private RSA key which can be used for connecting to SSH via Filezilla
:
Export public cert / key (PEM):
-in
This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
-out
The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
-nokeys
No private keys will be output.
-clcerts
Only output client certificates (not CA certificates).
Export public key (RSA):
Type certmgr. msc
Navigate to Certificates -> Current User -> Personal -> Certificates
In the white space, right-click and select All Tasks
-> Import
.
For Store Location select Current User and click Next.
Select the Browse button.
In the bottom right corner, click the dropdown and select Personal Information Exchange (*.pfx;*.p12)
and select your recently exported piv_name_9c_priv.pfx
Select Next:
Enter the password you defined when you exported your PFX file with the openssl command.
Select Mark this key as exportable
if you want to do a final export from the User Certificates list. If you do not select this option, you will not be able to export it later if you lose your openssl copies.
On the next window, it will ask where you wish to import the certificate to. I import to two locations:
You will need to import twice, to both the following locations:
Certificates -> Current User -> Personal
-> Certificates
Certificates -> Current User -> Trusted Root Certification Authorities
-> Certificates
You must place your certificate in the Trusted Root Certification Authorities
folder if you wish to sign code using Powershell's Set-AuthenticodeSignature
command.
Once you've completed the import:
Click Yes and you will finish the import:
You will need to go through the import process again to install your certificate in the other specified folders from above.
After completing the above steps, you should have the following files. You may delete the files you do not want, but ensure you leave at least one private key, one public, and the certificate. Also leave the OpenSSH public key if you wish to use this PIV slot to authenticate with SSH.
piv_name_9c_priv.pfx
Private key + certificate (password protected)
piv_name_9c_priv.pem
Private encrypted key + certificate
piv_name_9c_priv.key
Private encrypted key only
piv_name_9c_pub.pem
Public Certificate (pem format)
piv_name_9c_pub.crt
Public Certificate
piv_name_9c_openssh.pub
Public OpenSSH key
Launch Yubikey Manager
Select Applications -> PIV
Select Configure Certificates
Select the .pfx
file that you exported from OpenSSL and select Import
.
You will be prompted to enter the password
you provided when you first created your .pfx certificate:
You'll be asked for your Management Key
.
Your PIV certificate should now be imported into your Digital Signature (9C) slot.
You do not have to follow these steps if you've already imported your PIV certificate using the Yubikey Manager.
Open command prompt, terminal, or Powershell.
Execute the following command, change the path to where your PIV .pfx
certificate is located:
You will be prompted for your .pfx password and your management key.
You now have a PIV certificate stored on your Yubikey in slot 9C. You can sign code or files with this certificate.
Click -> Run
Select
To import your generated PIV certificate, click
You can import your new PIV certificate utilizing the command-line.