Install SSL.com Root and Intermediate Certificates on YubiKey

This how-to will show you how to use Yubico’s ykman command-line utility to install SSL.com intermediate and root certificates on a YubiKey with an SSL.com EV Code Signing or Business Identity certificate. This procedure may be necessary to avoid trust errors with signed documents and code on some computers.

1. Download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available. In this how-to, we won’t be using the YubiKey Manager itself, but rather the ykman utility that will be installed with it.
   
2. Download the appropriate SSL.com root and intermediate certificates for your document signing or EV code signing certificate. If your certificate was shipped on a FIPS 140-2 validated security key USB token from SSL.com, it will have an ECDSA key. For a certificate that has been enrolled in SSL.com’s eSigner cloud code signing service, it will have an RSA key. Check out our dedicated page for eSigner to learn more.
   • Document Signing (RSA):
     • SSL.com Root Certification Authority RSA
     • SSL.com Client Certificate Intermediate CA RSA R2
   • Document Signing (ECDSA):
     • SSL.com EV Root Certification Authority ECC
     • Client Certificate Intermediate CA ECC R2
   • EV Code Signing (RSA):
     • SSL.com EV Root Certification Authority RSA R2
     • SSL.com EV Code Signing Intermediate CA RSA R3
   • EV Code Signing (ECDSA):
     • SSL.com EV Root Certification Authority ECC
     • SSL.com EV Code Signing Intermediate CA ECC R2
3. Use the following command to navigate to the YubiKey Manager files:
   • Windows:

     $ cd "C:\Program Files\Yubico\YubiKey Manager"

   • macOS:

     $ cd /Applications/YubiKey Manager.app/Contents/MacOS

   • On Linux (Ubuntu), the ykman command will already be installed in your PATH, so you can skip this step.
4. Use these commands to install the root and intermediate certificates you downloaded in step 2 on slots 82 and 83 on your YubiKey. Replace the values in ALL-CAPS with the paths to the certificates you downloaded and your YubiKey’s management key. You may omit the -m option if your YubiKey has the default management key. (If you need to install more than root or intermediate, you may use any YubiKey slot from 82 through 95.)
   • Windows:

     $ ykman piv import-certificate 82 "PATH\TO\ROOT\CERTIFICATE.pem" -m MANAGEMENT-KEY
     $ ykman piv import-certificate 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem -m MANAGEMENT-KEY

   • macOS:

     $ ./ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY
     $ ./ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEY

   • Linux (Ubuntu):

     $ ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem -m MANAGEMENT-KEY
     $ ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem -m MANAGEMENT-KEY
     

5. ykman will not produce any output to let you know when the certificate was installed, but you can confirm the installation with ykman export-certificate. For example, the following command will print the certificate in slot 82 to the standard output:
   • Windows:

     ykman piv export-certificate 82 -

   •  macOS:

     ./ykman piv export-certificate 82 -

   • Linux (Ubuntu):

     ykman piv export-certificate 82 -

6. After installing these certificates on your YubiKey, your code and/or documents will be signed with a complete chain of trust, so you will not experience trust issues on computers that are missing the intermediate in their trust stores. Note that you may need to disconnect the YubiKey from your computer and reconnect it for the changes to take effect when signing.