Web Analytics

Install SSL.com Root and Intermediate Certificates on YubiKey

This how-to will show you how to use Yubico’s ykman command-line utility to install SSL.com intermediate and root certificates on a YubiKey with an SSL.com EV Code Signing or Business Identity certificate. This procedure may be necessary to avoid trust errors with signed documents and code on some computers.

SSL.com also recommends that you install these certificates in your signing computer’s certificate store.
  1. Download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available. In this how-to, we won’t be using the YubiKey Manager itself, but rather the ykman utility that will be installed with it.
    YubiKey Manager Download
  2. Download the appropriate SSL.com root and intermediate certificates for your document signing or EV code signing certificate. If your certificate was shipped on a FIPS 140-2 validated security key USB token from SSL.com, it will have an RSA key. You will only have an ECDSA key if you specified it when ordering and installing the certificate yourself.
  3. Use the following command to navigate to the YubiKey Manager files:
    • Windows:
      $ cd "C:\Program Files\Yubico\YubiKey Manager"
    • macOS:
      $ cd /Applications/YubiKey Manager.app/Contents/MacOS
    • On Linux (Ubuntu), the ykman command will already be installed in your PATH, so you can skip this step.
  4. Use these commands to install the root and intermediate certificates you downloaded in step 2 on slots 82 and 83 on your YubiKey. Replace the values in ALL-CAPS with the paths to the certificates you downloaded and your YubiKey’s management key. You may omit the -m option if your YubiKey has the default management key. (If you need to install more than root or intermediate, you may use any YubiKey slot from 82 through 95.)
    • Windows:
      $ ykman piv import-certificate 82 "PATH\TO\ROOT\CERTIFICATE.pem" -m MANAGEMENT-KEY
      $ ykman piv import-certificate 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem -m MANAGEMENT-KEY
    • macOS:
      $ ./ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY
      $ ./ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEY
    • Linux (Ubuntu):
      $ ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY
      $ ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEY
      
  5. ykman will not produce any output to let you know when the certificate was installed, but you can confirm the installation with ykman export-certificate. For example, the following command will print the certificate in slot 82 to the standard output:
    • Windows:
      ykman piv export-certificate 82 -
    •  macOS:
      ./ykman piv export-certificate 82 -
    • Linux (Ubuntu):
      ykman piv export-certificate 82 -
  6. After installing these certificates on your YubiKey, your code and/or documents will be signed with a complete chain of trust, so you will not experience trust issues on computers that are missing the intermediate in their trust stores. Note that you may need to disconnect the YubiKey from your computer and reconnect it for the changes to take effect when signing.

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.