4. Generating Keys and Certificates for the Yubikey

In a PowerShell Window, we will first generate a new key in PEM format. If successful, your Yubikey should start flashing, and you should see "Successfully generated a new private key."

yubico-piv-tool.exe -s 9a -a generate -o public.pem

Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.

yubico-piv-tool.exe -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem

If the command is successful, you will be prompted to "Enter PIN:". This is the PIN you set using the "Yubikey Manager". If the command is successful, you should see "Successfully generated a new self-signed certificate".

We can now load the certificate.

yubico-piv-tool.exe -a import-certificate -s 9a -i cert.pem

If successful, you should see “Successfully imported a new certificate.”