Private Key Generation and CSR Attestation with YubiKey Manager

Private Key Generation using YubiKey Manager

Security is a primary concern in the modern digital world. Sensitive data is being transferred online at an increasing rate. Therefore it’s critical to keep it safe from unauthorized access.

This is where YubiKey steps in, adding an additional layer of security by creating and authenticating private keys.

The process of creating a set of public and private keys that may be used for various tasks, including data encryption and signing, is known as private key creation.

Data that has been encrypted with the appropriate public key is decrypted using private keys, which are kept secret. Private keys generated by YubiKey devices may be secured such that they never leave the device, making them impenetrable to hackers.

What is a Yubikey?

YubiKeys

A YubiKey is hardware that offers safe authentication and encryption. In multi-factor authentication (MFA) systems, where a user must supply both something they know (like a password) and something they have (like a YubiKey) to confirm their identity, it is frequently employed as a second factor.

The ability to produce a pair of public and private keys is used for various tasks. This includes data encryption and signing, which is a feature of YubiKey devices. Because the private key never leaves the YubiKey, hackers and other malicious attackers cannot access it.

Additionally, attestation, or the process of confirming the validity and integrity of a device or component, may be carried out using YubiKey devices. Through YubiKey attestation, a third party may confirm that the YubiKey being used for authentication is real and unaltered.

A utility for managing YubiKey devices is called YubiKey Manager. It may produce Certificate Signing Requests (CSRs) that act as requests to a certificate authority for a certificate.

In order to confirm that a CSR was produced by a legitimate YubiKey device, CSR attestation may also be done using YubiKey Manager. By doing this, it is made sure that the certificate being given is legitimate and has not been hacked.

Recommended: What is a YubiKey? How Does it Work? [Detailed Guide]

About Yubikey Key Generation

Creating YubiKey keys is a straightforward operation that the users can accomplish with the YubiKey Manager program. With the touch of a button, users may produce a pair of keys.

Once produced, the keys may be used for a number of reasons, including safeguarding email communication and verifying user identities.

Recommended: What is Key Attestation for Code Signing Certificates?

What is Yubikey’s Attestation?

YubiKey devices offer attestation services in addition to private key creation. The process of certifying the integrity and validity of a device or component is known as attestation. YubiKey attestation guarantees that the authentication device is legitimate and has not been tampered with.

YubiKey Attestation

YubiKey attestation may be conducted by confirming the device’s cryptographic signatures. These signatures are created with a private key saved on the device and accessible only through a secure boot procedure. This prevents the signatures from being falsified or tampered with.

CSR Attestation with Yubikey Manager

Another method for using YubiKey devices to assure security is CSR attestation with YubiKey Manager. Requests for a certificate from a certificate authority are known as Certificate Signing Requests (CSRs).

To create CSRs and confirm that they were produced by a legitimate YubiKey device, use YubiKey Manager. By doing this, it is made sure that the certificate being given is legitimate and has not been hacked.

Video Guide to Generate CSR and Key Attestation using YubiKey Manager

Steps to Get Started with Private Key Generation

We will send you the key after verification and the order placement. Then you can authenticate your private key in this manner after the order is placed and verification is complete.

We have divided this entire process into THREE easy methods for a simpler understanding. Let us now begin!

Creating a Key Pair and an Attestation Certificate on your Yubikey

First, let’s look at how to generate a key pair and attestation certificate on your YubiKey. This can be done using the YubiKey Manager tool.

Step 1: To begin, you must Download and install YubiKey Manager from Yubico’s website if you still haven’t.

There are available versions for Windows, macOS, or Linux.

YubiKey Manager

Step 2: Insert your YubiKey, then run YubiKey Manager. In the YubiKey Manager window, you can view your YubiKey.

YubiKey 5 FIPS

Step 3: Go to Applications and click PIV.

YubiKey Application PIV

Step 4: Select the Certificates tab and then click the Configure Certificates button.

YubiKey Configure Certificates

Step 5: Choose the YubiKey slot in which you want to go the key pair generation. Choose Authentication (slot 9a) when purchasing an token based OV and EV code signing certificate and Click on Generate.

YubiKey Authentication Slot 9a

Step 6: Click the Next button after selecting Certificate Signing Request (CSR).

Generate CSR using YubiKey Manager

Step 7: To continue, choose an algorithm from the dropdown menu. For OV or EV Code Signing Certificate, choose either ECCP256 or ECCP384.

YubiKey Algorithm Choose

Step 8: After making your selection, enter a Subject Name for the certificate, and click the Next button. Keep in mind that we won’t be using this CSR for any actual purpose, it’s simply created as a byproduct of generating a new key pair.

Therefore, it’s not critical what you enter for the Subject Name.

Subject Name YubiKey

Step 9: Once this is done, click the Generate button.

Generate CSR 2048 Yubikey

Step 10: You’ll then be prompted to choose a location to save the CSR file, create a filename, and click the Save button.

Save CSR

Step 11: Afterward, you must enter your YubiKey’s management key and click OK.

Enter YubiKey Management Key

Your YubiKey’s Default management key is 010203040506070801020304050607080102030405060708

Step 12: Lastly, enter your YubiKey PIN and click OK. In case you require assistance finding your PIN, we are here to help.

Yubikey Management Key Pin

Your YubiKey’s Default PIN is 123456

Step 13: The CSR file will be saved in the location specified in step 10 of this guide.

Yubico provides a private key and a certificate preinstalled in every YubiKey, which enables the user to create an attestation certificate which will aid in verifying whether the private key is being generated on a YubiKey.

Generate Attestation Certificate

For this process, follow the below given command line.

Step 1: To generate an attestation certificate, Windows users should open PowerShell as an administrator. While macOS and Linux users must try opening a terminal window on their devices.

Windows PowerShell Run as Administrator

Step 2: To access the YubiKey Manager files, use the following command:

Windows:

cd "C:\Program Files\Yubico\YubiKey Manager"

macOS:

cd /Applications/YubiKey\ Manager.app/Contents/MacOS

If you are using Linux (Ubuntu), you don’t need to install the ykman command because it is already installed in your PATH.

Step 3: The following command should be used to generate the certificate (replace ATTESTATION-FILENAME.crt with the desired path and filename; if you used slot 9c, replace 9a with 9c).

macOS:

./ykman piv keys attest 9a ATTESTATION-FILENAME.crt

Windows:

.\ykman.exe piv keys attest 9a ATTESTATION-FILENAME.crt

Linux (Ubuntu):

ykman piv keys attest 9a ATTESTATION-FILENAME.crt

Step 4: After that, access the slot f9 of the YubiKey for exporting the intermediate certificate using the ykman command (replace INTERMEDIATE-FILENAME.crt with the desired path and filename).

Linux (Ubuntu):

ykman piv certificates export f9 INTERMEDIATE-FILENAME.crt

Windows:

.\ykman.exe piv certificates export f9 INTERMEDIATE-FILENAME.crt

macOS:

./ykman piv certificates export f9 INTERMEDIATE-FILENAME.crt

Now that you have a verified attestation certificate, you can associate it with your EV or OV code signing order.

Wrapping up

In conclusion, safe, private key generation and attestation services are offered by YubiKey devices, which may be utilized to improve security in a range of applications.

YubiKey is a useful tool in the battle against cybercrime since it can produce private keys that cannot be compromised and confirm the validity of devices and certificates.

Best Code Signing Certificates
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.