Order EV Code Signing and Document Signing Certificates with SSL Manager and YubiKey

Works with YubiKeyBoth EV code signing and PDF document signing certificates require that your private key be generated and stored on a secure device with two-factor authentication. With the 3.2 update to SSL Manager, SSL.com’s Windows certificate manager, you can generate key pairs directly on a Yubikey FIPS and associate them with SSL.com certificate orders.

Do not follow these instructions if you ordered a certificate and YubiKey from SSL.com and received a YubiKey in the mail, as these YubiKeys are shipped with certificates pre-installed. This how-to is for customers who want to install certificates on a YubiKey FIPS that they already own.
Note that in this how-to, the screenshots show SSL Manager in test mode because we are working the SSL.com sandbox to create test order. To create live orders (and spend real money), You can set SSL Manager to production mode by selecting Settings > SSL Manager API > SSL Manager API – Production in the menu.

Set production mode

Before working with your YubiKey in SSL Manager, you’ll need to install the latest version (currently 3.2). The installer can be downloaded by clicking the button below, and this guide provides complete installation instructions.

SSL Manager is only available for Windows, but Mac and Linux users can also install EV code signing and document signing certificates on their YubiKeys by following these instructions.

Note: When working with your YubiKey and SSL Manager, you may occasionally see a dialog box letting you know the Yubikey is not ready to accept commands. If this happens, simply unplug the YubiKey, plug it back in, close the dialog box, and repeat the preceding step.

Yubikey device not ready to accept commands yet.

Generating a Key Pair and Ordering a Certificate

1. Before you order a certificate to be installed on your YubiKey, you must first generate a key pair. If you’ve used SSL Manager in the past you’ll notice that there’s a new YubiKey drop-down menu in version 3.2.

YubiKey Menu

2. With your YubiKey connected to the computer, select Yubikey > Generate Key Pair from the menu.

Generate Key Pair

3. The Generate Key Pair dialog box will appear. First, select the purpose for the key pair you are generating. Here, we are going to generate a key pair for EV code signing.

Key Pair Purpose

4. Next enter the Management Key for your YubiKey.

Management Key

5. Click the Generate Key Pair button.

Generate Key Pair

6. After a few seconds, a dialog box should appear saying that the key pair has been generated. Click the OK button to dismiss the dialog box.

Key pair generated successfully

7. At this point, you can choose between automatic and manual submission of the YubiKey attestation certificate to SSL.com. Use the clickable tabs below for instructions on each method.

Attestation Flow

Automatic SubmissionManual Submission

8. Begin the automatic submission process by selecting the automatic submission option and clicking the OK button.

Automatic submission

9. A dialog box will appear, listing mandatory fields for document signing and EV code signing certificates. Click the OK button to dismiss the dialog box.

Click OK

10. Enter the Subject Information for the certificate in the form. Make sure to include all mandatory fields for the type of certificate that you plan to order. In this case, since we are ordering an EV certificate, we’re including information about the company but not an individual person.

When ordering EV code signing certificates, do not include the First Name and Last Name fields. Otherwise, you will find that the EV code signing option is disabled when placing your order.

Subject Information

11. Click the Attest button.

Attest

12. If prompted, enter your SSL.com Login and Password, then click the Login button.

Login

13. A dialog box should appear saying that the key pair has successfully been attested. Click the OK button to dismiss the dialog box.

Key pair attested successfully

14. Click the Send to SSL.com button.

Send to SSL.com

15. The Place Order window will open. If you have any appropriate existing orders available, you can choose one by selecting Existing Vouchers and selecting an order. In our case here there are no existing orders so we’ll make a new one in the next step.

Existing vouchers

16. To create a new certificate order, check the New Certificate Order radio button and select the Certificate Type, then choose a Validity Period from the drop-down menu. Here, only EV code signing is available because of the subject information we entered above in step 14.

New Certificate Order

17. Next, enter contact information for the order.

Contact Information

18. Click the Place Order button.

Place Order

19. A dialog box will appear saying that the order has been placed. Click the OK button to close the dialog box.

Order successfully placed

20. Your new order will be shown as pending in the main SSL Manager window.

pending order

21. If you log into your SSL.com account, you will see that the new order is present, with a status of validation required.

Validation Required

22. At this point, you should proceed with the necessary validation steps for the certificate type you ordered. For more information, please see:

23. When the certificate order as been validated and issued, the order status will change to Certificate Issued in the SSL Manager window.

Certificate Issued

24. To install the certificate on your YubiKey, right-click the order and select Install Certificate from the menu.

Install Certificate

25. Enter your YubiKey’s management key and PIN, then click the Import Certificate button.

Import certificate

26. A dialog box will appear when the certificate has been imported. Click the OK button to close the dialog box.

certificate successfully imported

27. SSL Manager will now show the new certificate as installed.

Certificate Installed

8. Begin the manual submission process by selecting the manual submission option and clicking the OK button.

Manual Submission

9. At this point, you can choose to submit your certificate order via SSL Manager or your SSL.com user portal account. To use SSL Manager, simply select YubiKey > Order Certificate from the menu, then switch tabs in this how-to and continue from step 9 in the automated submission method.

Order Certificate

10. If you prefer to place your order in the SSL.com user portal, select YubiKey > Key Pair Attestation from the menu.

Key Pair Attestation

11. Select the purpose for the key pair you generated, then click the Attest button.

Select key pair purpose

12. A new window will appear with your attestation and intermediate certificates. These can be used with certificate orders in the SSL.com user portal to prove that the key pair was generated on your YubiKey. At this point you can either copy and paste the certificates into a text file for later use, or go directly to the next step in your user account portal.

View Attestation Certificates

13. The next step is to associate the attestation and intermediate certificates with a certificate order in your SSL.com user account portal. Create a new order or navigate to an existing one, then click the open link.

open link

14. Click the manage link, under attestation.

manage attestation

15. Copy and paste your attestation certificate and intermediate certificate into the fields provided, then click the Submit button.

paste attestation and intermediate certifcates

16. Upon successful attestation, a green banner will appear at the top of the screen.

successful attestation

17. At this point, if you have not already gone through validation for the order, you should proceed with the necessary validation steps for the certificate type you ordered. For more information, please see:

18. When your certificate order has been validated and issued, click its download link in the portal.

downlaod link

19. Click the download link labeled single bundle and save the file on your computer.

single bundle download link

20. Now you can install the certificate on your YubiKey. Navigate to YubiKey > Import Certificate in the SSL Manager menu.

Import Certificate

21. Select the Certificate Purpose. For this order, it’s EV Code Signing.

Select Certificate Purpose

22. Enter your YubiKey’s Management Key and PIN, then use the Browse button to select the certificate you downloaded in step 19.

Management Key, PIN, and Certificate File

23. Click the Import Certificate button.

Import Certificate

24. A dialog box will appear when the certificate has been imported. Click the OK button to close the dialog box.

certificate successfully imported

25. You will be returned to the SSL Manager window. Note that, unlike with the automated process, manual orders do not appear in the application window. However, the certificate is installed on the YubiKey.

SSL Manager

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.