





Securing a private key and Code Signing certificate is extremely necessary as code tamper-proofing. And one of the reliable ways to secure them is using Yubico YubiKey FIPS compliant Hardware Token.
Here, you will find out the complete process of importing the certificates to YubiKey. And how to use it for signing an executable file.
Whenever an individual software developer or a company needs to publish software, code signing gets performed. It helps to build a trustworthy relationship with end-users, as signed software eliminates Unknown Publisher Warnings.
Recommended: Unknown Publisher Warning – What Is It & Why Should You Care?
Recently, according to new CA/Browser policies, every certificate owner needs to store the private key in a hardware token. And the token must align with FIPS standards. Otherwise, the certificate will not get issued.
Recommended: Important Changes in Issuing OV Code Signing Certificate From June 2023
And when it comes to FIPS aligning tokens, Yubico YubiKey tops the list. It aids in storing certificates and associated private key in a secure ecosystem, preventing unauthorized access.
Also, it seamlessly works with Windows OS, and you don’t need any paid or additional tools to use it. With the signtool utility, you can easily perform code signing using YubiKey HSM.
Before you start with the code signing using Yubikey, ensure that you tick off the following checklist:
Once you obtain a Code Signing Certificate and a compatible YubiKey, it’s time to start with the signing process. To tamper-proof the code, follow the below-provided steps:
To sign an executable file on a Windows platform, the signtool.exe utility gets used. By default, it’s part of the Windows Software Development Kit (SDK), and it’s available in the bin folder of it.
However, if your system doesn’t have it installed, you must download and install it.
In addition, it’s always recommended to download the complete SDK for seamless working.
Download Link: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/
After the signtool installation, you must import the certificate to YubiKey. For a successful installation, YubiKey Smart Card Minidriver is necessary.
By navigating to the Device Manager and checking under the Smart Cards section, you can verify whether it’s installed or not. If it’s available on the system, you would see Yubico Yubikey written there; otherwise, not.
Don’t worry if you didn’t find the Minidriver, as we are going to cover both alternatives, i.e., import with and without Minidriver.
Step 1: Access the PowerShell with administrative controls.
Step 2: Execute the following commands in the provided sequence.
reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateExchangeKeyImport /t REG_DWORD /d 1
reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateSignatureKeyImport /t REG_DWORD /d 1
certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx C:\Path\to\your.pfx
Step 3: Enter the PIN when the system prompts. And if no PIN is set, use the default value: 123456
Step 1: Download the YubiKey Manager and install it on your Windows System.
Step 2: Open the PowerShell with Administrative controls.
Step 3: Execute the following commands:
cd “%PROGRAMFILES%\Yubico\YubiKey Manager”
.\ykman piv import-key --pin-policy=once 9c C:\path\to\your.pfx
Step 4: Fill in the PIN, certificate password, and management key when prompted.
Step 5: Execute the command:
.\ykman piv import-certificate 9c C:\path\to\your.pfx
Step 6: Again, input the PIN, PFX file password, and management key as prompted.
Whenever you utilize YubiKey for signing, ensure that the correct certificate gets stored. And the most effective way to confirm it is by specifying the SHA1 thumbprint.
Undergo the following procedure to avail the thumbprint.
Step 1: Open the run tool (Windows + R) and type certmgr.msc, and click on the OK button.
Step 2: In the left tree view, navigate to Personal, then to Certificates.
Step 3: Find your certificate and double-click on it.
Step 4: Once the certificate properties get displayed, go to the Details tab and scroll to the bottom.
Step 5: Copy the Thumbprint value and save it in a Word or similar file.
To code sign the executable file, open the PowerShell and start executing the following commands.
cd “%PROGRAMFILES(X86)%\Windows Kits\10\bin\x64”
Note: Delete the (x86) and modify x64 at the end to x86 if your system runs a 32-bit OS version.
.\signtool sign /sha1 <THUMBPRINT> /fd SHA256 /t http://tsa.safecreative.org C:\path\to\your_application.exe
Note: Put the thumbprint value that you copied at <THUMBPRINT>. And if you want to timestamp the file, then only put /t and timestamp the server’s address in the command.
Further, enter the PIN, and you are done with code signing using Yubico YubiKey.
Finally, your executable file will get signed and ready to reach end-users.
While signing executable files using YubiKey, there’s a fair probability of facing the following two errors.
The first root cause can be that system has stored the PIN in cached memory. And the second reason could be the availability of a private key and associated certificate in the certmgr.msc.
To resolve it, go to certmgr.msc using Windows + R. Then, find your certificate under Personal à Certificates. And delete the certificate by right-clicking on it and selecting the Delete option from the menu.
Further, disconnect and reinsert the YubiKey. Now, whenever you use YubiKey, the system will ask you for a PIN.
To solve the 0x8010006A error, import the Code Signing Certificate to YubiKey using any of the mentioned mechanisms (with Minidriver or without Minidriver).
Primarily, YubiKey functions as a second layer of authentication for Microsoft, Google, and other online services. And the YubiKey code is the AES-encrypted 128-bit password that gets created through the concatenation of YubiKey fields.
To utilize YubiKey for authentication, follow the below steps:
Step 1: Access the Yubico Authenticator App and click on Control.
Step 2: Select the Scan option to scan the QR code, getting displayed on the screen.
Further, duplicate the QR code and store it to use it as a backup.
The certificate limit of YubiKey depends upon its version.
YubiKey Version | Total Space Available | Limit With Minimum Cert Size | Limit With Maximum Cert Size |
Prior to Version 4.0 | 8100 bytes | 4 Certs of 2025 bytes each | 4 certs of 2025 bytes each |
Version 4.x | 49,800 bytes | 24 Certs of 2075 bytes each | 16 certs of 3052 bytes each |
Version 4.x FIPS | 49,800 bytes | 24 Certs of 2075 bytes each | 16 certs of 3052 bytes each |
Version 5.x | 50,000 bytes | 24 Certs of 2084 bytes each | 16 certs of 3052 bytes each |
Version 5.x FIPS | 49,800 bytes | 24 Certs of 2079 bytes each | 16 certs of 3052 bytes each |
Yubikey is not a private key. It’s a FIPS-compliant Hardware Security Module that aids in securely storing private key and associated certificates. It allows one to import a private to it or generate one directly to YubiKey storage.
To perform certificate configuration, run the YubiKey Manager tool on your machine. Once it opens, go to Home Page à Applications à PIV.
Further, select Certificates à Configure Certificates.
Every YubiKey contains a private key and a certificate by default. It aids you in generating an attestation certificate to ensure private key generation on the YubiKey.
Recommended: Private Key Generation and CSR Attestation with YubiKey Manager
Yes, YubiKey complies with FIPS standards. However, you must select the correct version before you order it. You must always check the compliant version list before you avail one for you.
It would help you align with CA/B forum policies and seamlessly utilize the code signing certificate.