# 9E This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The main purpose of the slot 9E key is for physical access to restricted areas. {% hint style="info" %} **PIN POLICY:**\ \ PIN is not required.\ PIN policy can only be changed for a slot if PIV certificate imported using ykman command-line. {% endhint %} {% hint style="info" %} The instructions on this page are used for the tutorials ![](https://4238369593-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqj0swE9RiXnBGKcxMY3V%2Fuploads%2Fy8eADDDxBD8nZlyw8MMc%2Flink_1.png?alt=media\&token=0eefc560-f6f2-464e-9a58-8d86df1fca61) [**Bitlocker**](https://app.gitbook.com/s/FqFACNHWgp8HSNubDNCu/tutorials/bitlocker) and ![](https://4238369593-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqj0swE9RiXnBGKcxMY3V%2Fuploads%2Fy8eADDDxBD8nZlyw8MMc%2Flink_1.png?alt=media\&token=0eefc560-f6f2-464e-9a58-8d86df1fca61) [**EFS**](https://app.gitbook.com/s/FqFACNHWgp8HSNubDNCu/tutorials/efs) {% endhint %} The difference between using slot 9D and 9E for encryption is that each slot has different PIN policies in place. You can manually change the pin policies for a slot if you import the PIV certificate using ykman. Currently, the Yubikey Manager does not allow PIN policies to be modified.

SLOT	PIN Policy
`9D`	The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.
`9E`	The end user PIN is NOT required to perform private key operations for this slot.

To create a certificate to populate this slot, view the [**Bitlocker tutorial**](https://yubico.gitbook.io/yubikey5/piv-1/slots/broken-reference). ## ❊ Distinguished Name Values In the code below, you may edit the values in the **`[ yubikey_dn ]`** section and specify your own values. For a list of references about the abbresviations below, please review the ![](https://4238369593-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqj0swE9RiXnBGKcxMY3V%2Fuploads%2Fy8eADDDxBD8nZlyw8MMc%2Flink_1.png?alt=media\&token=0eefc560-f6f2-464e-9a58-8d86df1fca61) [**Distinguished Name**](https://yubico.gitbook.io/yubikey5/piv-1/generate/with-openssl/distinguished_name) list. ## ❊ Create OpenSSL Config Copy the following config file to \ `C:\Program Files\Common Files\SSL\piv_slot_9e.cnf` ```properties oid_section = yubikey_oids [ yubikey_oids ] nameDistinguisher = 0.2.262.1.10.7.20 msEFSR = 1.3.6.1.4.1.311.10.3.4.1 msEFSRecovery = 1.3.6.1.4.1.311.21.6 driveEncryption = 1.3.6.1.4.1.311.67.1.1 driveRecovery = 1.3.6.1.4.1.311.67.1.2 [ req ] default_bits = 2048 default_keyfile = piv_sign_9e.pem default_md = sha256 distinguished_name = yubikey_dn x509_extensions = yubikey_ext req_extensions = yubikey_ext string_mask = MASK:0x2002 utf8 = yes prompt = no [ yubikey_dn ] 0.C = NA 1.S = NA 2.L = NA 3.O = Organization 4.OU = Organization Unit 5.CN = Your Common Name 6.emailAddress = email@address.com 7.GN = Your Given Name 8.title = Cert Title 9.description = Description about Cert 10.initials = ABC 11.serialNumber = 1234 [ sans ] DNS.0 = localhost DNS.1 = myexampleclient.com [ yubikey_ext ] basicConstraints = CA:false,pathlen:0 nsCertType = objsign, objCA nsComment = "PIV Card Authentication 9E" subjectAltName = @sans extendedKeyUsage = critical,msEFS, msEFSR, nsSGC, msEFSRecovery, driveEncryption, driveRecovery, msSmartcardLogin keyUsage = critical,keyEncipherment, dataEncipherment ``` {% hint style="warning" %} If you are creating a PIV certificate specifically for Digital Signatures, don't change anything in the **`[ yubikey_extensions ]`** block. {% endhint %} {% hint style="info" %} In the commands below, make sure to change the filenames and parameters to your own. In our examples, we like to name the files after the slot we're going to import them into on the yubikey such as `piv_name_9e_priv` `Priv` = Private key\ `Pub` = Public key\ \ **`9E`** signifies the Yubikey PIV slot we'll be importing our certificate into. {% endhint %} ## ❊ Setup Before getting started, create you a new folder where you will run all these commands and setup the following structure by creating the following files all in the same directory: * [📁](https://emojipedia.org/file-folder/) private * [📁](https://emojipedia.org/file-folder/) public * [📁](https://emojipedia.org/file-folder/) openssh ## ❊ Generate Key + Cert from Config An OpenSSL cert + private key can be generated using the following command:


`-new`	Generates new certificate request. Prompts user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in config file. If `-key` option not used, it will generate a new RSA private key using information specified in the configuration file.
`-x509`	Outputs self signed certificate instead of certificate request. Unless specified using the set_serial option, a large random number will be used for the serial number. If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.
`-sha256`	Specifies digest to sign the request with (such as -md5, -sha1). Some public key algorithms may override this choice. Such as DSA signatures always use SHA1.
`-days`	Requires `-x509` . Specifies number of days to certify for. The default is 30 days.
`-config`	Load alternative config. Oerrides the compile time filename or any specified in the OPENSSL_CONF environment variable.
`-keyout`	Gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.
`-out`	The output filename to write to or standard output by default.

``` openssl req -new -x509 -sha256 -days 1825 -config "C:\Program Files\Common Files\SSL\piv_name_9e.cnf" -keyout "private/piv_name_9e_priv.key" -out "public/piv_name_9e_pub.crt" ``` ## ❊ Create PFX Merge your new private key and certificate together into a **`.pfx`** You will be prompted to provide a passphrase to execute the file. {% hint style="warning" %} Keep this file safe. and away from others. {% endhint %}


`-export`	Specifies that a PKCS#12 file will be created rather than parsed.
`-in`	Filename to read certificates and private keys from. Must all be in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file.
`-inkey`	File to read private key from. If not present then a private key must be present in the input file.
`-out`	Specifies filename to write the PKCS#12 file to. Standard output is used by default.

``` openssl pkcs12 -export -in "public/piv_name_9e_pub.crt" -inkey "private/piv_name_9e_priv.key" -out "private/piv_name_9e_priv.pfx" ``` ## ❊ Create Private + Cert (.PEM)


`-in`	This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
`-nodes`	Stands for "No DES" don't encrypt the private keys at all.
`-out`	The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.

{% tabs %} {% tab title="Encrypted" %} ``` openssl pkcs12 -in "private/piv_name_9e_priv.pfx" -aes-256-cbc -out "private/piv_name_9e_priv.pem" ``` {% endtab %} {% tab title="Unencrypted" %} ``` openssl pkcs12 -in "private/piv_name_9e_priv.pfx" -nodes -out "private/piv_name_9e_priv.pem" ``` {% endtab %} {% endtabs %} ## ❊ Create Private Key (.KEY) {% hint style="warning" %} You can skip the steps for **Create Private Key**, this was done in the first command. These are here in case you need to create more. {% endhint %} {% tabs %} {% tab title="Private | Encrypted" %} ## ❊ Create Private Key \[Encrypted] The following can generate a private **`encrypted`** key from your PFX file.


`-in`	This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
`-out`	The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
`-nocerts`	No certificates at all will be output.

``` openssl pkcs12 -in "private/piv_name_9e_priv.pfx" -nocerts -out "private/piv_name_9e_enc_priv.key" ``` {% endtab %} {% tab title="Private | Unencrypted" %} ## ❊ Create Private Key \[Not Encrypted] The following can generate a private **`unencrypted`** key from your PFX file.


`-in`	This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
`-out`	The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
`-nocerts`	No certificates at all will be output.
`-nodes`	Stands for "No DES" don't encrypt the private keys at all.

``` openssl pkcs12 -in "private/piv_name_9e_priv.pfx" -nocerts -nodes -out "private/piv_name_9e_unc_priv.key" ``` {% endtab %} {% endtabs %} ## ❊ Create OpenSSH (.PUB) To generate your OpenSSH key, you must ensure that the permissions on your pem file are properly set. This means that you must right-click on this file, go to the **`Security`** tab, and make sure **`Inheritance`** is disabled.


`-y`	This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
`-f`	Specifies the filename of the key file.

``` ssh-keygen -y -f "private/piv_name_9e_priv.pem" > "openssh/piv_name_9e_openssh.pub" ``` ## ❊ Create Private RSA (.PEM) Export private RSA key which can be used for connecting to SSH via **`Filezilla`**: ``` openssl rsa -in "private/piv_name_9e_priv.pem" -out "private/piv_name_9e_priv_rsa.pem" -outform PEM -traditional ``` ## ❊ Create Public Certificate (.PEM) Export public cert / key (PEM):


`-in`	This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.
`-out`	The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
`-nokeys`	No private keys will be output.
`-clcerts`	Only output client certificates (not CA certificates).

``` openssl pkcs12 -in "private/piv_name_9e_priv.pfx" -clcerts -nokeys -out "public/piv_name_9e_pub.pem" ``` ## ❊ Create Public Key Export public key (RSA): ``` openssl rsa -in "private/piv_name_9e_priv.pem" -pubout > "public/piv_name_9e_pub.pub" ```