Installing A Code Signing Certificate On Yubikey 5 Fips

5 days ago
Admin
3 minutes

This tutorial demonstrates the process of installing a code signing certificate onto your YubiKey 5 FIPS HSM device. Prior to proceeding with these instructions, it is assumed that you have already generated a Certificate Signing Request (CSR) on your YubiKey 5 FIPS HSM and using that CSR you have obtained the code signing certificate from Certificate Authority (CA), having successfully completed the validation procedure.

Importing certificate into the YubiKey

  1. First download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available on same page.
  2. Launch the YubiKey Manager and navigate to the Applications section. From there, select PIV to access the features related to Personal Identity Verification.
  3. Within the PIV segment, locate the setting to Configure Certificates and proceed to Navigate to and Select it.
  4. Choose the Authentication tab that corresponds to the YubiKey slot where you generated the key pair earlier. If you have referred our CSR generation guide, this should be Slot 9a.
  5. Press the Import button and navigate to the file containing the code signing certificate provided by the Certificate Authority (CA). Proceed to import the certificate into the YubiKey.
  6. Upon request, input the Management Key of your YubiKey 5 FIPS device and Select OK to continue with the installation process.

    *If you have not changed management key for your YubiKey yet, then you need to check the “Use default” check-box.
  7. Subsequently, you will be prompted to input the PIN for your YubiKey 5 FIPS device. After entering the PIN, Select OK to finalize the installation procedure.

Signing files with Code Sign Certificate through Yubikey

  1. The process involves employing the signtool.exe tool for code signing on the Windows platform. This tool is included in the Windows SDK package. Obtain and install the SDK to further proceed with signing process.
  2. Run file explorer and browse to below path:
    C:Program Files (x86)Windows Kits10bin10.0.22621.0×64
    Note:

    • If your Windows installation is 32bit, then remove “(X86)” from the path and change the “x64” at the end to “x86”

    like this: C:Program FilesWindows Kits10bin10.0.22621.0×86

    • Windows SDK kit version (10.0.22621.0) may have different version number there so check for the correct path accordingly.
  3. Once you are in correct directory where signtool.exe is available, run command prompt (CMD) with administrative privilege and execute below command:
    signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a "Path_to_the_file_you_wish_to_sign"Flag /a – Automatically selects the best certificate to sign the file from your Windows Certificate Store/USB Token.Please note that the timestamp server differs depending on the Certificate Authority (CA). Therefore, the signing command must be adjusted to accommodate the timestamp server of the respective CA.For Sectigo/Comodo Code Sign:  http://timestamp.sectigo.com

    For DigiCert Code Sign: http://timestamp.digicert.com

  4. Your file should be signed successfully. To verify the signed file, you can run below command:
    signtool verify /pa “Path to the file you’ve signed”
  5. If in case signtool is unable to detect certificate from YubiKey token while signing, you can refer to this article from here for further troubleshooting.