Knowledge Base

Overview 

By the end of this article, you will have generated a private key directly on your YubiKey, produced a key attestation that proves the key was created on the device, submitted your Certificate Signing Request (CSR) and attestation to Sectigo, and installed the issued code signing certificate onto the YubiKey. Sectigo's code signing process requires the private key to be generated and stored on an external, Federal Information Processing Standard (FIPS)-validated Hardware Security Module (HSM) such as a YubiKey, rather than on your computer. The article covers four phases: generating the key pair in the YubiKey's Personal Identity Verification (PIV) application, generating the attestation certificate from the command line, submitting the request in Sectigo Certificate Manager (SCM), and installing the certificate. Screenshots show Windows; notes call out where Linux and macOS differ. 

What is key attestation? 

Key attestation is a signed statement, generated by the YubiKey itself, that proves a private key was created on the device and cannot be exported. Sectigo's key attestation service checks this proof before issuing a code signing certificate — this is how Sectigo confirms your key is protected by a FIPS-validated Hardware Security Module (HSM). 

Prerequisites 

• A YubiKey FIPS device that supports the Personal Identity Verification (PIV) application. 

• YubiKey Manager installed on Windows, Linux, or macOS (download from Yubico). 

• For the attestation step: Windows PowerShell or a macOS/Linux terminal, and the ykman command-line tool (bundled with YubiKey Manager; already in the PATH on Ubuntu). 

• A Sectigo Certificate Manager (SCM) account. Creating the certificate profile and enrollment form requires the Master Registration Authority Officer (MRAO) role; a Registration Authority Officer (RAO) or Departmental Registration Authority Officer (DRAO) should ask their MRAO. 

• Sectigo Support must enable the Key Attestation Required setting on your Code Signing Certificate Template before you begin. 

Step 1 — Generate the key pair on the YubiKey 

Generate the private key and a Certificate Signing Request (CSR) directly on the YubiKey using the Personal Identity Verification (PIV) application. 

1. Download and install YubiKey Manager from Yubico's website (versions for Windows, Linux, and macOS). 

 

Figure 1. Download YubiKey Manager for your operating system from Yubico's website. 

2. Plug in your YubiKey and launch YubiKey Manager. Your device appears in the window. 

 

Figure 2. YubiKey Manager confirms your connected YubiKey FIPS device. 

3. Go to Applications > PIV, then click Configure Certificates. 

 

Figure 3. Open Applications > PIV in YubiKey Manager. 

 

Figure 4. On the PIV page, click Configure Certificates. 

4. Select the slot for your certificate type: Authentication (slot 9a) for an Extended Validation (EV) code signing certificate, or Digital Signature (slot 9c) for PDF document signing. This article uses slot 9a. 

 

Figure 5. Select the slot tab — Authentication (9a) for EV code signing. 

5. Click Generate, select Certificate Signing Request (CSR), then click Next. 

 

Figure 6. Click Generate to create a new key pair in the slot. 

 

Figure 7. Choose Certificate Signing Request (CSR), then click Next. 

6. Choose an algorithm. For code signing, select ECCP256 or ECCP384. Code signing cannot use RSA 2048 — you must use one of the Elliptic Curve Cryptography (ECC) options. 

 

Figure 8. Select an ECC algorithm — ECCP256 or ECCP384 — then click Next. 

7. Enter any Subject Name, then click Next. The Subject Name is not used in the CSR; it is only a byproduct of creating the key pair. 

 

Figure 9. Enter any Subject Name (not used in the CSR), then click Next. 

8. Click Generate, choose a location and filename for the CSR file, then click Save. 

 

Figure 10. Review the summary, then click Generate. 

 

Figure 11. Choose a location and filename, then click Save to store the CSR. 

9. Enter your YubiKey management key, then click OK. If you have not changed it, use the Yubico factory default (see Yubico's documentation). 

 

Figure 12. Enter your YubiKey management key, then click OK. 

10. Enter your YubiKey Personal Identification Number (PIN), then click OK. The factory default PIN is 123456 if unchanged. 

Step 2 — Generate the attestation certificate 

Use the ykman command-line tool to create a key attestation, export the supporting intermediate certificate, and combine and Base64-encode them for Sectigo. This step uses the command line. 

1. Open Windows PowerShell as an administrator, or open a terminal on macOS or Linux. 

 

Figure 13. Open Windows PowerShell as an administrator. 

2. Navigate to the YubiKey Manager folder so you can run ykman: 

Windows:  cd "C:\Program Files\Yubico\YubiKey Manager" 

macOS:  cd /Applications/YubiKey\ Manager.app/Contents/MacOS 

Linux (Ubuntu):  ykman is already in your PATH, so skip this step. 

3. Generate the attestation certificate for your slot (replace 9a with 9c if you used the Digital Signature slot; replace attestation.crt with your chosen filename): 

Windows:  .\ykman.exe piv keys attest 9a attestation.crt 

macOS:  ./ykman piv keys attest 9a attestation.crt 

Linux (Ubuntu):  ykman piv keys attest 9a attestation.crt 

4. Export the intermediate certificate from slot f9 (replace intermediateCA.crt with your chosen filename): 

Windows:  .\ykman.exe piv certificates export f9 intermediateCA.crt 

macOS:  ./ykman piv certificates export f9 intermediateCA.crt 

Linux (Ubuntu):  ykman piv certificates export f9 intermediateCA.crt 

5. Combine both certificates into a single Privacy-Enhanced Mail (PEM) file: 

Windows:  type attestation.crt intermediateCA.crt > attestation.pem 

6. Base64-encode the combined file. The attestation service expects a Base64 blob with no PEM header or footer lines: 

Windows:  certutil -encode attestation.pem attestation.b64 

findstr /v CERTIFICATE attestation.b64 > attestation_clean.b64 

Linux/macOS:  cat attestation.pem | base64 

Step 3 — Submit the request to Sectigo Certificate Manager (SCM) 

Submit your CSR and Base64-encoded attestation in Sectigo Certificate Manager (SCM) so Sectigo can verify the device and issue the certificate. Sections 3.1 and 3.2 require the Master Registration Authority Officer (MRAO) role. If your MRAO has already created the certificate profile, skip to section 3.3. 

 

Figure 14. If your MRAO already created the profile, skip sections 3.1 and 3.2. 

3.1 Create the certificate profile 

1. Sign in to SCM as an MRAO. 

2. Go to Enrollment > Certificate Profiles and click Add. 

3. Complete the Create Certificate Profile fields, then click Next: 

Field	Value
Name	A name for the certificate profile
CA Backend	The Certificate Authority (CA) assigned to your account
Certificate Type	Code Signing Certificate
Certificate Template	Global Certificate Template
Description	Optional

 

Figure 15. Complete the Create Certificate Profile fields, then click Next. 

4. Select the certificate lifetime terms and click Save. 

 

Figure 16. Set the certificate lifetime terms, then click Save. 

3.2 Delegate the profile to your organization 

1. Go to Organization > Certificate Settings and enable Code Signing Certificates. 

 

Figure 17. Enable Code Signing Certificates, then click View. 

2. Click View, select the certificate profile to assign, click Close, then click Save. 

 

Figure 18. Select the certificate profile to delegate, then click Save. 

3.3 Create the enrollment form and account 

1. Go to Enrollment > Enrollment Forms and click Add. 

2. Enter a name, select the type Code Signing certificate self-enrollment form, then click Next. 

3. Enter a name for the Uniform Resource Identifier (URI) extension and click Generate. 

4. On the Configuration tab, select the authentication types, add any optional help instructions, then click Save. 

5. Select the new enrollment form, click Accounts, then click Add. 

6. Complete the Create Code Signing Web Form Account fields, then click Save: 

Field	Value
Name	The account name
Organization	Your organization
Department	Optional
Profiles	The certificate profile created in 3.1
CSR Generation method	Provided by user

3.4 Delegate the domain 

1. Go to Domains, select a domain, and click Delegate. 

2. Select your organization, select Code Signing Certificate, then click Save. 

 

Figure 19. Delegate the domain to your organization for code signing, then click Save. 

3.5 Send the enrollment invitation 

1. Go to Certificates > Code Signing Certificates and click Invitations. 

2. Click Add, complete the fields, then click Send: 

Field	Value
Email Address	The email address to send the invitation to
Enrollment endpoint	The endpoint created in 3.3
Account	The account created in 3.3
Profile	The certificate profile created in 3.1

3.6 Enroll for the certificate 

The end user performs these steps. 

1. Click Verify Email Address, or copy the link from the invitation email. The link opens the enrollment form, partially filled in. 

2. Complete the Code Signing Enrollment form: 

Field	Value
First name	The end user's first name
Last name	The end user's last name
CSR	The CSR in PEM format, including the PEM header and footer lines
Key Attestation	The contents of the Base64 attestation file from Step 2, with no PEM header or footer lines
HSM type	Luna or YubiKey

3. Agree to the user agreement and click Submit. If the CSR and attestation are valid, Sectigo issues a code signing certificate. Download it to your system to install on the YubiKey. 

 

Figure 20. Paste your CSR and Base64 attestation, select the HSM type, then submit. 

Step 4 — Install the certificate on the YubiKey 

1. Launch YubiKey Manager and go to Applications > PIV, then click Configure Certificates. 

 

Figure 21. Open Applications > PIV in YubiKey Manager. 

 

Figure 22. On the PIV page, click Configure Certificates. 

2. Select the same slot where you generated the key pair in Step 1. 

 

Figure 23. Select the same slot where you generated the key pair. 

3. Click Import, browse to your issued (end-entity) certificate file, then click Import. 

 

Figure 24. Click Import to install the issued certificate in the slot. 

4. Enter your YubiKey management key, then click OK. Enter your PIN, then click OK. 

 

Figure 25. Enter your YubiKey management key, then click OK. 

5. For a complete chain of trust, also install the root and intermediate certificates on the YubiKey. 

How to verify success 

Open YubiKey Manager, go to Applications > PIV, click Configure Certificates, and select the slot you used. The issued certificate now appears as loaded in that slot, and your YubiKey is ready for code signing. 

Troubleshooting 

Issue: The attestation is rejected during enrollment. 

Cause: The attestation file still contains PEM header and footer lines, which certutil adds on Windows. 

Solution: Run findstr /v CERTIFICATE to remove the header and footer before pasting the Base64 attestation into the enrollment form. 

Issue: A PowerShell script or other Microsoft application will not run with the certificate. 

Cause: Some Microsoft applications are not compatible with Elliptic Curve Cryptography (ECC) keys, or they require application reputation through SmartScreen. 

Solution: Review Sectigo's SmartScreen and application reputation Knowledge Base (KB) article for details. 

Related questions 

• How do I generate a code signing key pair and key attestation on a YubiKey? 

• Which YubiKey slot and algorithm do I use for an EV code signing certificate? 

• How do I submit a YubiKey key attestation to Sectigo Certificate Manager?