How to Get Certificates with PowerShell from a YubiKey Device?
Welcome to the guide to help you utilize YubiKey’s SDK and obtain certificates using PowerShell. YubiKey has recently released their desktop .NET SDK, which is now generally available. To explore its functionality, you can visit its GitHub repository.
If you prefer a more hands-on approach, you can clone the SDK from the repository and proceed to build the project. Upon successful building, you will have three libraries.
Among them is Yubico.YubiKey.dll, which contains the necessary classes and types for interacting with the YubiKey. Additionally, the Yubico.Core.dll is required for identifying connected YubiKeys.
Next, import the Yubico.YubiKey.dll and Yubic.Core.dll libraries into a new PowerShell session. It enables you to access the classes and explore the documentation more thoroughly.
By combining the examples, the documentation, and a bit of trial and error, you can efficiently retrieve certificates from your YubiKeys.
Following these steps, you can quickly retrieve certificates from your YubiKeys within a few hours. With a bit of perseverance and familiarity with the SDK, people have easily done it, you, too, can leverage PowerShell to extract certificates from YubiKeys seamlessly.
What is the Connected YubiKeys for Enhanced Security?
To access and retrieve certificates from YubiKey 5 NFC FIPS, you can follow these steps.
It’s important to note that the Security Key does not support certificate retrieval since it is solely a FIDO key.
The YubiKeys that support PIV have four certificate slots: Authentication Certificate, Digital Signature Certificate, Key Management Certificate, and Card Authentication Certificate.
Using the Yubico YubiKey Manager, you can view the contents of these certificate slots.
The libraries can detect keys connected through USB-A and USB-C interfaces. You can utilize the “Find-YubiKeyDevices” function, which allows you to interact with multiple YubiKeys.
How to Get Your YubiKey Device?
This function provides information about each YubiKey, including its form factor, firmware version, and serial number. The “Get-YubiKeyDevice” function utilizes the YubiKey’s serial number to retrieve specific device information.
How to Use PowerShell to Get Certificates from a YubiKey?
Till now, you must have discovered the connected YubiKeys. After obtaining a specific YubiKey using its serial number, you can retrieve certificates from it.
It’s essential to determine the slot from which you want to retrieve the certificate, such as:
- Authentication
- Digital Signature
- Key Management
- Card Authentication
You can specify the YubiKey’s serial number and slot and use the “Get-YubiKeyCertificate” function to retrieve the certificate as a PowerShell X509Certificate2 object.
Certificate Slot to return the certificate from
– Slot 9a ‘Authentication’
– Slot 9c ‘Signature’
– Slot 9d ‘KeyManagement’
– Slot 9e ‘CardAuthentication’
Get-YubiKeyCertificate -CertSlot Authentication -SerialNumber 15464990If you prefer the certificate to be returned as a base64 encoded string, you can use the “-Raw $true” parameter. And it is available with the “Get-YubiKeyCertificate” function.
Get-YubiKeyCertificate -CertSlot Authentication -SerialNumber 15464990 -Raw $true
Exploring the Yubico YubiKey Certificates PowerShell Script
For simplifying the process of discovering Yubico YubiKeys and retrieving certificates, we have a comprehensive PowerShell script called YubiKey.ps1. This script incorporates three essential functions outlined below.
QUICK NOTE: The script requires PowerShell 7.x for optimal performance.
To begin, you’ll need to download the YubiKey.ps1 script, along with two DLL files named Yubico.YubiKey.dll and Yubico.Core.dll. These files can be found in a GitHub YubiKey repository here. Remember to keep all these files in the same directory.
About YubiKey Repository
Once you have obtained the necessary files, you can import the functions and DLLs by running the YubiKey.ps1 script using the dot prefix. Simply execute the following command in PowerShell:
. .\YubiKey.ps1
Coming to the functionality provided by YubiKey.ps1 script. It includes the following PowerShell functions:
DiscoverYubiKeys:
This function enables the discovery of Yubico YubiKeys connected to your system. Executing this function can quickly identify all the YubiKeys present and access their corresponding information.
GetCertificatesFromSlots:
With this slot, you can retrieve certificates from the certificate slots on your Yubico YubiKeys. It utilizes the Yubico desktop .NET SDK (version 4.0.30319) of the compiled libraries to interact with the YubiKeys seamlessly.
YubiKey.ps1 script is designed to work flawlessly with PowerShell versions 6.x and 7.x, ensuring compatibility across different environments.
Wrapping up
So, with these steps, you can access and retrieve certificates from different YubiKeys using PowerShell, enabling efficient management of your YubiKey devices and their associated certificates.
Yubico Desktop SDK facilitates various tasks, including discovering connected YubiKeys and retrieving certificates from a YubiKey using PowerShell. This powerful SDK provides the tools and functionality to interact with YubiKeys seamlessly.
With the capabilities of the Yubico Desktop SDK and combining it with PowerShell scripting, you can access the certificates stored on the YubiKey. This feature is handy for tasks that require certificate management and integration with other systems or applications.
Recommended: Private Key Generation and CSR Attestation with YubiKey Manager
