EV Code Signing Certificate: Request a Certificate
Generate Key Pair on YubiKey
- if you have not done so already, download and install YubiKey Manager
- plug in your YubiKey, then launch YubiKey Manager
- navigate to "Applications" > "PIV"
- click the "Configure Certificates" button
- select the tab for the YubiKey slot where you would like to generate the key pair. If you are buying an EV code signing certificate, choose Authentication (slot 9a)
- click the "Generate" button
- select "Certificate Signing Request (CSR)", then click the "Next" button
- select an Algorithm from the drop-down menu. For code signing, choose "ECCP256" or "ECCP384"
- enter a Subject Name for the certificate e.g. TicketSource, then click the Next button
- click the "Generate" button
- select a location to save the CSR file, create a filename e.g. c:\temp\ticketsource.csr, then click the "Save" button
- enter your YubiKey's management key, then click OK. If you need your management key, default:
010203040506070801020304050607080102030405060708- enter your YubiKey PIN, then click OK (default: 123456)
Generate Attestation Certificate
Each YubiKey comes pre-loaded with a private key and certificate from Yubico that allows you to generate an attestation certificate to verify that a private key has been generated on a YubiKey. This operation will require you to use the command line.
- open a Terminal window (Run as administrator)
- run the command line:
cd "C:\Program Files\Yubico\YubiKey Manager"- generate an attestation certificate for the key with the command:
ykman.exe piv keys attest 9a c:\temp\attestation.crt- next, use the ykman command to export the intermediate certificate from slot f9 of the YubiKey:
ykman.exe piv certificates export f9 c:\temp\intermediateCA.crtSubmit the request
- submit
ticketsource.csr,attestation.crtandintermediateCA.crtfiles to verify the devices authenticity for issuing code signing certificates