SSL.com

Install an S/MIME Certificate on your YubiKey

These instructions are for users of SSL.com’s document signing and client authentication certificates installed on YubiKey FIPS USB hardware tokens. To protect our customers’ information against the possible loss of their YubiKey, these certificates offer email signing but cannot be used for encryption or decryption. However, your certificate bundle includes a credit for a decryption-enabled S/MIME certificate that may be installed in your YubiKey for convenience.

Why do I need to install another certificate? Because it is impossible to export a private key from a FIPS YubiKey, and this key is required for S/MIME decryption, it is important to deliver the S/MIME certificate separately so that users can back up their private key. Otherwise, they are at risk of losing access to their data if a YubiKey is lost.

The instructions illustrate how you can easily generate and import a PFX file with an encryption-enabled S/MIME certificate and private key into the Key Management slot (9d) of your YubiKey with the YubiKey Manager application. These procedures were documented on macOS Mojave but are also applicable to the Windows and Linux versions of YubiKey Manager.

To install keys and certificates on your YubiKey, you will need the device’s management key, which is separate and different from your PIN. Please contact Support@SSL.com if you need your YubiKey’s management key.

Step 1: Generate and Download S/MIME Certificate and Private Key

  1. Your certificate bundle includes an additional credit for an SSL.com S/MIME certificate. After ordering and validation, you will receive an email message with an activation link. Click the link.
  2. Click the Generate Certificate button to generate a new certificate signing request (CSR), certificate, and private key.
    Note: You can choose between RSA and ECDSA with the Algorithm drop-down menu, but ECDSA cannot be used as an email encryption key, so it’s best to leave this set to RSA. You can also click the Show Advanced Options button, which will reveal a drop-down menu for choosing the key size. Finally, checking I have my own CSR will let you use your own certificate signing request and private key rather than generating a new CSR and key.
  3. Text fields containing the new CSR, certificate, and private key will appear.
  4. Create a password of 6 characters or more, then click the Download button.
    Remember this password. You will need it when you install the certificate and key on your YubiKey. Also, it is very important that you keep the PFX file with your private key secure and do not lose it. SSL.com does not ever see or handle your private keys and cannot help you recover a lost key (it will be generated in your browser, on your own computer). Without your private key you will not be able to digitally sign email or read email that has been encrypted with your public key. Even worse, anyone with your private key will be able to assume your identity for signing email messages and client authentication.
  5. Your new certificate and private key are now ready for installation on your YubiKey.

Step 2: Import Certificate and Private Key into YubiKey

  1. Download and install the correct version of Yubikey Manager for your OS (Windows, macOS, or Linux).
    Note: YubiKey Manager can also be used to reset the PIN for your Yubikey and configure its OTP features. Please consult Yubico’s documentation for more information.
  2. Launch YubiKey Manager and insert your YubiKey into a USB port on your computer. YubiKey Manager will display information about your YubiKey.
  3. Navigate to Applications > PIV in YubiKey Manager.
  4. Click the Configure Certificates button.
  5. Select the Key Management tab.
  6. Click the Import button.
  7. Navigate to the location of your PFX file and click the Import button. The filename will end in .p12.
  8. Enter the password you created for the PFX file and click OK.
  9. Enter the YubiKey management key and click OK. (Contact Support@SSL.com for your management key.)
  10. You’re all done! YubiKey Manager should now show that the certificate and key are installed on the device.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.
Exit mobile version