4. Generating Keys and Certificates for the Yubikey
In a PowerShell
Window, we will first generate a new key in PEM format. If successful, your Yubikey should start flashing, and you should see "Successfully generated a new private key."
yubico-piv-tool.exe -s 9a -a generate -o public.pem
Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV/PKCS #11 lib. It needs to be able to extract the public-key from the smartcard, and to do that through the X.509 certificate.
yubico-piv-tool.exe -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
If the command is successful, you will be prompted to "Enter PIN:". This is the PIN you set using the "Yubikey Manager". If the command is successful, you should see "Successfully generated a new self-signed certificate".
We can now load the certificate.
yubico-piv-tool.exe -a import-certificate -s 9a -i cert.pem
If successful, you should see “Successfully imported a new certificate.”
Last updated