Now that you’ve received a new YubiKey FIPS token with your Business Identity email, client authentication, and document signing certificate in the mail, you may be wondering just what to do next. This FAQ answers common questions you may have about how to get started with your new certificate and USB token.
Creating trusted digital signatures in Adobe PDF and Microsoft Office documents is simple with your Business Identity certificate! You simply plug the YubiKey into your computer’s USB port, follow the application’s steps for digitally signing a document, and enter your YubiKey’s PIN.
For complete instructions, please refer to these SSL.com how-tos:
• Sign a PDF in Adobe Acrobat Reader
• Digitally Signing Microsoft Office 365 Documents
Note: macOS users will need to take some extra configuration steps before signing PDFs in Acrobat – please read this how-to.
For application-specific instructions on using your Business Identity certificate to sign and encrypt email messages, please refer to these SSL.com how-tos:
• Using Your YubiKey with Outlook on Windows
• Use Your YubiKey for S/MIME Email in Thunderbird
Note that you can start digitally signing email with your Business Identity certificate right away, but encrypting and decrypting email requires the separate installation of a second S/MIME certificate. This extra step is necessary for the protection of your personal data. The private signing key shipped on your YubiKey is not exportable from the device. Without a backup of your private encryption key outside of your YubiKey, accidental loss of the YubiKey would mean that you would never to be able to read mail encrypted with that key again! Therefore, each Business Identity certificate order also includes a credit for a separate Personal Pro certificate.
For instructions on installing this additional S/MIME certificate on your YubiKey for encryption, please refer to our how-to, Install an S/MIME Certificate on your YubiKey.
For most popular Windows and macOS web browsers, you can simply insert your YubiKey into a USB port on your computer, and the OS will provide access to the certificate and private key to your browser. Mozilla Firefox requires an additional configuration step before the browser can access the certificate and private key. (Note that versions of Firefox prior to 75 cannot access certificates and keys on smart cards via the OS.)
For more details, please see our how-to, Configuring Client Authentication Certificates in Web Browsers.
If you’d like to generate key pairs and manage certificates on your YubiKey with Windows, macOS, and Linux computers, you can use Yubico’s YubiKey Manager application. The upcoming 3.0 release of SSL.com’s SSL Manager will give Windows users the ability to securely generate key pairs, order EV Code Signing and Business Identity certificates, and install certificates directly on their YubiKey from the application.
Currently, all users wishing to install EV Code Signing and Business Identity certificates on their YubiKey should follow the instructions in the SSL.com how-to, Key Generation and Attestation with Yubikey.
Please read our blog post, Business Identity Certificate with YubiKey, for more details concerning your YubiKey’s capabilities and security features, including client authentication and single sign-on.