en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Install SSL.com Root and Intermediate Certificates on YubiKey

This how-to will show you how to use Yubico’s ykman command-line utility to install SSL.com intermediate and root certificates on a YubiKey with an SSL.com EV Code Signing or Business Identity certificate. This procedure may be necessary to avoid trust errors with signed documents and code on some computers.

SSL.com also recommends that you install these certificates in your signing computer’s certificate store.
  1. Download and install YubiKey Manager from Yubico’s website. Versions for Windows, Linux, and macOS are available. In this how-to, we won’t be using the YubiKey Manager itself, but rather the ykman utility that will be installed with it.
    YubiKey Manager Download
  2. Download the appropriate SSL.com root and intermediate certificates for your document signing or EV code signing certificate. If your certificate was shipped on a YubiKey FIPS from SSL.com, it will have an RSA key. You will only have an ECDSA key if you specified it when ordering and installing the certificate yourself.
  3. Use the following command to navigate to the YubiKey Manager files:
    • Windows:
      $ cd "C:Program FilesYubicoYubiKey Manager"
    • macOS:
      $ cd /Applications/YubiKey Manager.app/Contents/MacOS
    • On Linux (Ubuntu), the ykman command will already be installed in your PATH, so you can skip this step.
  4. Use these commands to install the root and intermediate certificates you downloaded in step 2 on slots 82 and 83 on your 9YubiKey. (If you need to install more than root or intermediate, you may use any YubiKey slot from 82 through 95.) Note that after each command you will be prompted for your YubiKey’s management key:
    • Windows:
      $ .ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
      $ .ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
    • macOS:
      $ ./ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
      $ ./ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
    • Linux (Ubuntu):
      $ ykman piv import-certificate 82 /PATH/TO/ROOT/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
      $ ykman piv import-certificate 83 /PATH/TO/INTERMEDIATE/CERTIFICATE.pem 
      Enter a management key [blank to use default key]: 
  5. ykman will not produce any output to let you know when the certificate was installed, but you can confirm the installation with ykman export-certificate. For example, the following command will print the certificate in slot 82 to the standard output:
    • Windows:
      .ykman piv export-certificate 82 -
    •  macOS:
      ./ykman piv export-certificate 82 -
    • Linux (Ubuntu):
      ykman piv export-certificate 82 -
  6. After installing these certificates on your YubiKey, your code and/or documents will be signed with a complete chain of trust, so you will not experience trust issues on computers that are missing the intermediate in their trust stores. Note that you may need to disconnect the YubiKey from your computer and reconnect it for the changes to take effect when signing.

SSL.com’s EV Code Signing certificates offer Windows 10 kernel-mode code signing and an instant SmartScreen reputation boost, all for as low as $240.00 per year. They are delivered on secure YubiKey FIPS USB tokens with two-factor authentication.

ORDER NOW

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com