How to Install Root and Intermediate Certificates Quickly on YubiKey?
Welcome to our comprehensive guide on installing root and intermediate certificates on a YubiKey. In this tutorial, we will walk you through the process of using Yubico’s ykman command-line utility to install these essential certificates.
We highly recommend following these instructions and adding these certificates to your signing computer’s certificate store. Let’s get started and enhance the security and trustworthiness of your YubiKey-enabled operations.
How to Get Root and Intermediate Certificates?
To ensure the authenticity and security of your code and documents, installing the root and intermediate certificates on your YubiKey properly is crucial.
Follow the step-by-step instructions below to accomplish this task:
Step 1: Begin by downloading YubiKey Manager from Yubico’s official website. Select the appropriate version for your operating system (Windows, Linux, or macOS).
QUICK NOTE: We will utilize the ykman utility bundled with YubiKey Manager rather than the manager itself.
Step 2: Next, acquire the necessary root and intermediate certificates corresponding to your specific code signing signing or EV code signing certificate.
If your certificate were shipped on a FIPS 140-2 validated security key USB token, it would possess an RSA key. Your CA will include Root and Intermediate Certificates in the package.
Step 3: Now, it’s time to navigate to the YubiKey Manager files using the appropriate command based on your operating system:
On Windows:
$ cd "C:\Program Files\Yubico\YubiKey Manager"On MacOS:
$ cd /Applications/YubiKey Manager.app/Contents/MacOSQUICK NOTE: On Linux (Ubuntu), the ykman command should already be installed in your PATH so that you can skip this step.
Step 4: Use the following commands to install the root and intermediate certificates you downloaded in the previous step onto slots 82 and 83 of your YubiKey.
Replace the capitalized placeholders with the actual paths to the certificates you downloaded and your YubiKey’s management key.
If you are using the default management key, you can omit the -m option. Please remember that you can utilize any YubiKey slot from 82 through 95 if you need to install additional certificates.
Default management key is 010203040506070801020304050607080102030405060708
On Windows:
$ .\ykman piv certificates import 82 "PATH\TO\ROOT\CERTIFICATE.pem" -m MANAGEMENT-KEY$ .\ykman piv certificates import 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem" -m MANAGEMENT-KEYOn macOS:
$ ./ykman piv certificates import 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY$ ./ykman piv certificates import 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEYOn Linux (Ubuntu):
$ .\ykman piv certificates import 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY$ .\ykman piv certificates import 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEYQUICK NOTE: ykman will not display any output indicating the certificate installation status. However, you can verify the installation by using the command “.\ykman piv certificates export”
For example, the following command will print the certificate in slot 82 to the standard output:
On Windows:
$ .\ykman piv certificates export 82 -On macOS:
$ ./ykman piv certificates export 82 -On Linux (Ubuntu):
$ .\ykman piv certificates export 82 -Step 5: Once you have successfully installed these certificates on your YubiKey, your code and documents will be signed with a complete chain of trust.
Consequently, you will not encounter trust issues on computers lacking the intermediate certificate in their trust stores.
You may need to disconnect and reconnect your YubiKey for the changes to take effect during the signing process.
It’s a Wrap!
This is how you install your intermediate and root certificates on a YubiKey with an OV or EV Code Signing Certificate.
With these instructions meticulously, you can ensure the reliability of your signed documents and code. Congrats on bolstering trust and security in your digital operations.
