How To Use YubiKey To Sign Windows Executable File?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Sign Executables using Yubikey

Securing a private key and Code Signing certificate is extremely necessary as code tamper-proofing. And one of the reliable ways to secure them is using Yubico YubiKey FIPS compliant Hardware Token.

Here, you will find out the complete process of importing the certificates to YubiKey. And how to use it for signing an executable file.

The Need for YubiKey FIPS-Compliant Hardware Token

Whenever an individual software developer or a company needs to publish software, code signing gets performed. It helps to build a trustworthy relationship with end-users, as signed software eliminates Unknown Publisher Warnings.

Recommended: Unknown Publisher Warning – What Is It & Why Should You Care?

Recently, according to new CA/Browser policies, every certificate owner needs to store the private key in a hardware token. And the token must align with FIPS standards. Otherwise, the certificate will not get issued.

Recommended: Important Changes in Issuing OV Code Signing Certificate From June 2023

And when it comes to FIPS aligning tokens, Yubico YubiKey tops the list. It aids in storing certificates and associated private key in a secure ecosystem, preventing unauthorized access.

Also, it seamlessly works with Windows OS, and you don’t need any paid or additional tools to use it. With the signtool utility, you can easily perform code signing using YubiKey HSM.

Prerequisites To Complete Before Signing Using YubiKey

Before you start with the code signing using Yubikey, ensure that you tick off the following checklist:

  • You have a compatible YubiKey Token (YubiKey 5 FIPS Series, YubiKey 5 Series, YubiKey 4 Series, Yubikey FIPS 4 Series)
  • A Code Signing Certificate from an authorized CA, such as Comodo, DigiCert, Certera, and Sectigo
  • The certificate is in .pfx format.

Video Guide to Sign .EXE File using YubiKey Manager

Step-By-Step Guide to Sign an Windows Executable File Using YubiKey

Once you obtain a Code Signing Certificate and a compatible YubiKey, it’s time to start with the signing process. To tamper-proof the code, follow the below-provided steps:

Step 1: Signtool.exe Utility Tool Installation

To sign an executable file on a Windows platform, the signtool.exe utility gets used. By default, it’s part of the Windows Software Development Kit (SDK), and it’s available in the bin folder of it.

However, if your system doesn’t have it installed, you must download and install it.

In addition, it’s always recommended to download the complete SDK for seamless working.

Download Link:

Step 2: Import Your Code Signing Certificate To YubiKey

After the signtool installation, you must import the certificate to YubiKey. For a successful installation, YubiKey Smart Card Minidriver is necessary.

By navigating to the Device Manager and checking under the Smart Cards section, you can verify whether it’s installed or not. If it’s available on the system, you would see Yubico Yubikey written there; otherwise, not.

Don’t worry if you didn’t find the Minidriver, as we are going to cover both alternatives, i.e., import with and without Minidriver.

Alternative 1: When Minidriver is installed

Step 1: Access the PowerShell with administrative controls.

Step 2: Execute the following commands in the provided sequence.

reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateExchangeKeyImport /t REG_DWORD /d 1
reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateSignatureKeyImport /t REG_DWORD /d 1
certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx C:\Path\to\your.pfx

Step 3: Enter the PIN when the system prompts. And if no PIN is set, use the default value: 123456

Alternative 2: When Minidriver is not installed  

Step 1: Download the YubiKey Manager and install it on your Windows System.

Step 2: Open the PowerShell with Administrative controls.

Step 3: Execute the following commands:

cd “%PROGRAMFILES%\Yubico\YubiKey Manager”
.\ykman piv import-key --pin-policy=once 9c C:\path\to\your.pfx

Step 4: Fill in the PIN, certificate password, and management key when prompted.

Step 5: Execute the command:

.\ykman piv import-certificate 9c C:\path\to\your.pfx

Step 6: Again, input the PIN, PFX file password, and management key as prompted.

Step 3: Avail the Certificate’s Thumbprint

Whenever you utilize YubiKey for signing, ensure that the correct certificate gets stored. And the most effective way to confirm it is by specifying the SHA1 thumbprint.

Undergo the following procedure to avail the thumbprint.

Step 1: Open the run tool (Windows + R) and type certmgr.msc, and click on the OK button.

CertMGR Window

Step 2: In the left tree view, navigate to Personal, then to Certificates.

Personal Certificate CertMgr

Step 3: Find your certificate and double-click on it.

Step 4: Once the certificate properties get displayed, go to the Details tab and scroll to the bottom.

Step 5: Copy the Thumbprint value and save it in a Word or similar file.

Thumbprint Value CertMgr

Step 4: Code Sign the Executable File

To code sign the executable file, open the PowerShell and start executing the following commands.

cd “%PROGRAMFILES(X86)%\Windows Kits\10\bin\x64”

Note: Delete the (x86) and modify x64 at the end to x86 if your system runs a 32-bit OS version.

.\signtool sign /sha1 <THUMBPRINT> /fd SHA256 /t C:\path\to\your_application.exe

Note: Put the thumbprint value that you copied at <THUMBPRINT>. And if you want to timestamp the file, then only put /t and timestamp the server’s address in the command.

Further, enter the PIN, and you are done with code signing using Yubico YubiKey.

Finally, your executable file will get signed and ready to reach end-users.

Troubleshooting Most Common Errors

While signing executable files using YubiKey, there’s a fair probability of facing the following two errors.

1: System doesn’t prompt for PIN Input

The first root cause can be that system has stored the PIN in cached memory. And the second reason could be the availability of a private key and associated certificate in the certmgr.msc.

To resolve it, go to certmgr.msc using Windows + R. Then, find your certificate under Personal à Certificates. And delete the certificate by right-clicking on it and selecting the Delete option from the menu.

Further, disconnect and reinsert the YubiKey. Now, whenever you use YubiKey, the system will ask you for a PIN.

2: Error 0x8010006A gets Displayed

To solve the 0x8010006A error, import the Code Signing Certificate to YubiKey using any of the mentioned mechanisms (with Minidriver or without Minidriver).

YubiKey Common FAQs

What does YubiKey Code mean?

Primarily, YubiKey functions as a second layer of authentication for Microsoft, Google, and other online services. And the YubiKey code is the AES-encrypted 128-bit password that gets created through the concatenation of YubiKey fields.

How can I utilize YubiKey for authentication purposes?

To utilize YubiKey for authentication, follow the below steps:

Step 1: Access the Yubico Authenticator App and click on Control.

Step 2: Select the Scan option to scan the QR code, getting displayed on the screen.

Further, duplicate the QR code and store it to use it as a backup.

What is the Certificate limit of YubiKey?

The certificate limit of YubiKey depends upon its version.

YubiKey VersionTotal Space AvailableLimit With Minimum Cert SizeLimit With Maximum Cert Size
Prior to Version 4.08100 bytes4 Certs of 2025 bytes each  4 certs of 2025 bytes each
Version 4.x49,800 bytes24 Certs of 2075 bytes each16 certs of 3052 bytes each
Version 4.x FIPS49,800 bytes24 Certs of 2075 bytes each16 certs of 3052 bytes each
Version 5.x50,000 bytes24 Certs of 2084 bytes each16 certs of 3052 bytes each
Version 5.x FIPS49,800 bytes24 Certs of 2079 bytes each16 certs of 3052 bytes each

Is YubiKey a Private Key associated with Code Signing Certificate?

Yubikey is not a private key. It’s a FIPS-compliant Hardware Security Module that aids in securely storing private key and associated certificates. It allows one to import a private to it or generate one directly to YubiKey storage.

Is Certificate Configuration possible with YubiKey?

To perform certificate configuration, run the YubiKey Manager tool on your machine. Once it opens, go to Home Page à Applications à PIV.

Further, select Certificates à Configure Certificates.

What does YubiKey Key Generation and Attestation refer to?

Every YubiKey contains a private key and a certificate by default. It aids you in generating an attestation certificate to ensure private key generation on the YubiKey.

Recommended: Private Key Generation and CSR Attestation with YubiKey Manager

Does YubiKey comply with FIPS standards?

Yes, YubiKey complies with FIPS standards. However, you must select the correct version before you order it. You must always check the compliant version list before you avail one for you.

It would help you align with CA/B forum policies and seamlessly utilize the code signing certificate.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.