Adding root and intermediate certificates to your YubiKey is an important step in boosting its security and trustworthiness. In this guide, we'll provide a streamlined walkthrough of the entire certificate installation process using Yubico's ykman command-line tool.
While you can manage your YubiKey without these extra certificates, taking the time to install them will maximize the device's capabilities and your protection when using it for cryptographic operations. The ykman utility offers a quick and easy method to get your certificates configured.
Whether you're new to YubiKey or simply need a refresher, this step-by-step tutorial will help you get your root and intermediate certificates set up rapidly. By following our guide, you'll gain the knowledge to enhance your YubiKey setup in just a few simple steps. Let's get started!
In order to browse your root and intermediate certificates and to install it by using YubiKey manager. Follow the below steps to accomplish the navigation and installation of root and intermediate certificates from YubiKey manager.
Step 1: The first step is to download the YubiKey Manager software from Yubico's website. Be sure to select the right version for your operating system - Windows, Linux or MacOS.
NOTE: We'll actually just be using the ykman command line tool included in the Manager download rather than the graphical interface.
Step 2:Obtain the root and intermediate certificate files that correspond to your specific code signing or EV code signing certificate.
If your cert uses an RSA key and came on a FIPS 140-2 approved USB device, these certificates should have been provided by your certificate authority.
Step 3:Open a terminal or command prompt and navigate to the YubiKey Manager installation directory using the appropriate command:
cd C:\Program Files\Yubico\YubiKey Manager
cd /Applications/YubiKey Manager.app/Contents/Resources
Step 4: Use these commands to install the root and intermediate certificates from Step 2 onto your YubiKey, replacing the capitalized placeholders with your actual certificate paths and management key:
ykman piv certificates import --subject 82 -m MANAGEMENT_KEY_HERE ROOT_CERT_PATH_HERE
ykman piv certificates import --subject 83 -m MANAGEMENT_KEY_HERE INTERMEDIATE_CERT_PATH_HERE
You can use any slot from 82-95 if needed for additional certificates. Omit -m if using default management key.
Step 5: Finally, verify the certificates installed properly by running:
ykman piv certificates list
This will display all the certificates currently loaded onto your YubiKey. Confirm your new root and intermediate certificates are present in slots 82 and 83.
Step 6: Now your YubiKey is ready to go! Your new certificates will automatically be utilized during cryptographic operations like code signing for enhanced security and validation.