Knowledge Base
Key Generation and Attestation with YubiKey
For the purposes of the new Code signing process, it is required that your private key be securely generated and stored on an external FIPS-validated hardware device rather than your computer.
1-Generating a key pair and attestation certificate on your YubiKey
2-Installing your new certificate in the YubiKey
Note: The screenshots below are from Windows, but the procedures are almost identical on Linux and macOS. Differences between platforms are noted below. Linux's instructions refer to Ubuntu 19.10, with YubiKey manager installed with apt-get (see Yubico’s instructions, https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu for more information).
A Linux AppImage is also available from the YubiKey Manager download page. Also note that while these instructions use Yubico’s Yubikey Manager software, supports keypair generation and certificate installation on YubiKey for Windows users.
Contents
If you have not done so already, download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available.
https://www.yubico.com/support/download/yubikey-manager/
1-Plug in your YubiKey, then launch YubiKey Manager. Your YubiKey should be displayed in the YubiKey Manager window.
2-Navigate to Applications > PIV.
3-Click the Configure Certificates button.
Select the tab for the YubiKey slot where you would like to generate the key pair. If you are buying an EV code signing certificate, choose Authentication (slot 9a). For PDF document signing, choose Digital Signature (slot 9c). (See Yubico’s documentation,(https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) for more information on the various key slots and their intended functions; they differ in their PIN entry policies). Here we are going to use slot 9a.
4-Click the Generate button.
5-Select Certificate Signing Request (CSR), then click the Next button.
6-Select an Algorithm from the drop-down menu. For code signing, choose ECCP256 or ECCP384.
Note: Code signing CSR cannot use RSA2048, please make sure you are using one of the ECC options below.
7-Enter a Subject Name for the certificate, then click the Next button.
Note: We won’t be using this subject name in the CSR—it’s generated as a byproduct of creating a new key pair. So, it doesn’t really matter what you enter for the Subject Name here.
8-Click the Generate button.
9-Select a location to save the CSR file, create a filename, then click the Save button.
10-Enter your YubiKey’s management key, then click OK. If you need your management key,
Default: 010203040506070801020304050607080102030405060708
11-Enter your YubiKey PIN, then click OK.
Default: 123456
Step 2: Generate Attestation Certificate
Each YubiKey comes pre-loaded with a private key and certificate from Yubico that allows you to generate an attestation certificate to verify that a private key has been generated on a YubiKey. This operation will require you to use the command line.
5. Select the terms for the certificate lifetime and click Save.
The new certificate profile for the code signing certificate has been created.
3.2 Delegate the new certificate profile to your organization
1. Select Organization > Certificate Settings and enable Code Signing Certificates.
2. Click View.
3. Select the certificate profile to assign to the Code Signing Certificate; click Close and click Save.
3.3 Create enrollment form and new account.
1. Navigate to Enrollment > Enrollment Forms. Click Add.
2. In Create Enrollment Endpoint, enter a Name for the endpoint and select type Code Signing certificate self-enrollment form. Click Next.
3. Enter a name for the URI extension and click Generate.
4. In the Configuration tab, select the Authentication Types and enter the Help instructions (optional).
5. Click Save.
6. Select the new enrollment form and click Accounts.
7. In Code Signing Web Form Accounts, click Add.
8. Complete the fields in the Create Code Signing Web Form Account dialog, referring to the following table, and click Save.
3.4 Delegate domain
1. Navigate to Domains. Select a domain and click Delegate on the right panel.
2. Select your organization. Select Code Signing Certificate. Click Save.
3.5 Send enrollment invitation.
1. Navigate to Certificates > Code Signing Certificates and click Invitations.
2. Click Add to create a new invitation.
3. Complete the fields, referring to the following table, and click Send.
3.6 Enroll for the certificate.
Note: These actions are performed by the end user.
1. Click Verify Email Address or copy and paste the link provided in your email.
The link will connect to the endpoint URL.
The Code Signing Enrollment is partially filled in.
2. Complete the Code Signing Enrollment form referring to the following table.
3. Agree to the user agreement and click Submit.
If the submitted CSR and key attestation are valid, you will receive a code signing certificate from Sectigo. Download it to your system and HSM for code signing operations.
Step 4: Install Certificate in YubiKey
Launch YubiKey Manager and navigate to Applications > PIV.
Click the Configure Certificates button.
Select the tab for the same YubiKey slot where you generated the key pair.
Navigate to your end-entity certificate file and click the Import button.
Enter your YubiKey’s management key, then click OK.
Enter your YubiKey’s management key, then click OK.
Default: 010203040506070801020304050607080102030405060708
Enter your YubiKey PIN, then click OK.
Default: 123456
To make sure your digital signatures are trusted on all computers, you should also install the root and intermediate certificates on your YubiKey for a complete chain of trust.
Note:
Certain Microsoft applications, such as PowerShell scripts, may not be compatible with ECC key type, while others may necessitate a reputation. For further details on SmartScreen and application reputation, please consult the provided KB article.
https://support.sectigo.com/PS_KnowledgeDetailPageFaq?Id=kA01N000000zFJx
1-Generating a key pair and attestation certificate on your YubiKey
2-Installing your new certificate in the YubiKey
Note: The screenshots below are from Windows, but the procedures are almost identical on Linux and macOS. Differences between platforms are noted below. Linux's instructions refer to Ubuntu 19.10, with YubiKey manager installed with apt-get (see Yubico’s instructions, https://support.yubico.com/hc/en-us/articles/360016649039-Enabling-the-Yubico-PPA-on-Ubuntu for more information).
A Linux AppImage is also available from the YubiKey Manager download page. Also note that while these instructions use Yubico’s Yubikey Manager software, supports keypair generation and certificate installation on YubiKey for Windows users.
Contents
- Step 1: Generate Key Pair on YubiKey
- Step 2: Generate Attestation Certificate
- Step 3: Submit the request to Sectigo
- Step 4: Install Certificate in YubiKey
If you have not done so already, download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available.
https://www.yubico.com/support/download/yubikey-manager/
1-Plug in your YubiKey, then launch YubiKey Manager. Your YubiKey should be displayed in the YubiKey Manager window.
2-Navigate to Applications > PIV.
3-Click the Configure Certificates button.
Select the tab for the YubiKey slot where you would like to generate the key pair. If you are buying an EV code signing certificate, choose Authentication (slot 9a). For PDF document signing, choose Digital Signature (slot 9c). (See Yubico’s documentation,(https://developers.yubico.com/PIV/Introduction/Certificate_slots.html) for more information on the various key slots and their intended functions; they differ in their PIN entry policies). Here we are going to use slot 9a.
4-Click the Generate button.
5-Select Certificate Signing Request (CSR), then click the Next button.
6-Select an Algorithm from the drop-down menu. For code signing, choose ECCP256 or ECCP384.
Note: Code signing CSR cannot use RSA2048, please make sure you are using one of the ECC options below.
7-Enter a Subject Name for the certificate, then click the Next button.
Note: We won’t be using this subject name in the CSR—it’s generated as a byproduct of creating a new key pair. So, it doesn’t really matter what you enter for the Subject Name here.
8-Click the Generate button.
9-Select a location to save the CSR file, create a filename, then click the Save button.
10-Enter your YubiKey’s management key, then click OK. If you need your management key,
Default: 010203040506070801020304050607080102030405060708
11-Enter your YubiKey PIN, then click OK.
Default: 123456
Step 2: Generate Attestation Certificate
Each YubiKey comes pre-loaded with a private key and certificate from Yubico that allows you to generate an attestation certificate to verify that a private key has been generated on a YubiKey. This operation will require you to use the command line.
- In Windows, open PowerShell as an administrator. macOS and Linux users should open a terminal window on their device.
- Use the following command to navigate to the YubiKey Manager files:
- Windows:
-
- macOS:
-
- On Linux (Ubuntu), the ykman command will already be installed in your PATH, so you can skip this step.
- Generate an attestation certificate for the key with the command below (replace attestation.crt with the path and filename you want to use; if you used slot 9c, replace 9a with 9c):
- Windows:
-
- Linux (Ubuntu):
-
- macOS:
- Next, use the ykman command to export the intermediate certificate from slot f9 of the YubiKey (replace intermediateCA.crt with the path and filename you want to use):
- Windows:
-
- Linux (Ubuntu):
-
- macOS:
./ykman piv certificates export f9 intermediateCA.crt
Note: Run the command below to create your attestation.pem file that combines both the key attestation.crt and the IntermediateCA.crt.
Windows (any shell)
type attestation.crt intermediateCA.crt > attestation.pem
Note: The attestation service expects the attestation blob to be base64 encoded.
Run the following commands to encode the attestation certificates as a single base64 encoded file.
(Windows "certutil encode" command adds PEM header/footer that must NOT be included, please use the command "findstr" to remove them):
Windows: Please run both commands:
certutil -encode attestation.pem attestation.b64
findstr /v CERTIFICATE attestation.b64 > attestation.b64
Linux: Please use the command: cat attestation.pem | base64 to encode the attestation file to base64 format.
Step 3: Submit the request to Sectigo.
Submit the CSR and base64 encoded attestation to Sectigo key attestation service to verify the devices authenticity for issuing code signing certificates.
This section describes the steps required to submit the CSR and key attestation to SCM.
Before proceeding, contact Sectigo Support to enable the Key Attestation Required setting on the Code Signing Certificate Template for your account in the admin portal.
3.1 Create the certificate profile
1. Login to your SCM Account as MRAO (RAOs/DRAOs should contact their MRAO for this step).
2. Navigate to Enrollment > Certificate Profiles.
3. Click Add to create a new Code Signing Certificate Profile.
4. Complete the fields in the Create Certificate Profile window, referring to the following table, and click Next.
| Field | Description |
| Name | Enter a name for the Certificate Profile |
| CA Backend | Select the CA assigned to your account |
| Certificate Type | Select Code Signing Certificate |
| Certificate Template | Select Global Certificate Template |
| Description | (optional) |
5. Select the terms for the certificate lifetime and click Save.
The new certificate profile for the code signing certificate has been created.
3.2 Delegate the new certificate profile to your organization
1. Select Organization > Certificate Settings and enable Code Signing Certificates.
2. Click View.
3. Select the certificate profile to assign to the Code Signing Certificate; click Close and click Save.
3.3 Create enrollment form and new account.
1. Navigate to Enrollment > Enrollment Forms. Click Add.
2. In Create Enrollment Endpoint, enter a Name for the endpoint and select type Code Signing certificate self-enrollment form. Click Next.
3. Enter a name for the URI extension and click Generate.
4. In the Configuration tab, select the Authentication Types and enter the Help instructions (optional).
5. Click Save.
6. Select the new enrollment form and click Accounts.
7. In Code Signing Web Form Accounts, click Add.
8. Complete the fields in the Create Code Signing Web Form Account dialog, referring to the following table, and click Save.
| Field | Description |
| Name | Enter the name of the account |
| Organization | Select your organization |
| Department | (optional) |
| Profiles | Select the certificate profile created earlier |
| CSR Generation method | Select Provided by user |
3.4 Delegate domain
1. Navigate to Domains. Select a domain and click Delegate on the right panel.
2. Select your organization. Select Code Signing Certificate. Click Save.
3.5 Send enrollment invitation.
1. Navigate to Certificates > Code Signing Certificates and click Invitations.
2. Click Add to create a new invitation.
3. Complete the fields, referring to the following table, and click Send.
| Field | Description |
| Email Address | The email address to send the invitation to |
| Enrollment endpoint | The enrollment endpoint created earlier |
| Account | The account created earlier |
| Profile | The code signing profile created earlier |
3.6 Enroll for the certificate.
Note: These actions are performed by the end user.
1. Click Verify Email Address or copy and paste the link provided in your email.
The link will connect to the endpoint URL.
The Code Signing Enrollment is partially filled in.
2. Complete the Code Signing Enrollment form referring to the following table.
| Field | Description |
| Certificate email | |
| First name | Your first name |
| Last name | Your last name |
| CSR | PEM format CSR. PEM header/footer lines are required. |
| Key Attestation | Contents of attestation.b64 file from previous steps. File must be Base64 encoded. PEM header/footer lines must NOT be included. |
| HSM type | Luna or YubiKey |
3. Agree to the user agreement and click Submit.
If the submitted CSR and key attestation are valid, you will receive a code signing certificate from Sectigo. Download it to your system and HSM for code signing operations.
Step 4: Install Certificate in YubiKey
Launch YubiKey Manager and navigate to Applications > PIV.
Click the Configure Certificates button.
Select the tab for the same YubiKey slot where you generated the key pair.
- Click the Import button.
Navigate to your end-entity certificate file and click the Import button.
Enter your YubiKey’s management key, then click OK.
Enter your YubiKey’s management key, then click OK.
Default: 010203040506070801020304050607080102030405060708
Enter your YubiKey PIN, then click OK.
Default: 123456
To make sure your digital signatures are trusted on all computers, you should also install the root and intermediate certificates on your YubiKey for a complete chain of trust.
Note:
Certain Microsoft applications, such as PowerShell scripts, may not be compatible with ECC key type, while others may necessitate a reputation. For further details on SmartScreen and application reputation, please consult the provided KB article.
https://support.sectigo.com/PS_KnowledgeDetailPageFaq?Id=kA01N000000zFJx
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
