Import Smart Card Certificates onto your YubiKey — Yubico Authenticator User Guide documentation (2024)

Table of Contents
YubiKey Manager GUI YubiKey Manager CLI Next Steps FAQs References
  • Import Smart Card Certificates onto your YubiKey
  • View page source

Before your smart card certificates can be provisioned to your iOS Keychain with Yubico Authenticator, you must first import those certificates onto a YubiKey from your host computer. This can be done through either of the following tools:

  • YubiKey Manager GUI
  • YubiKey Manager CLI

The GUI (graphical user interface) tool allows you to configure PIV functionality by clicking through a series of screens, whereas the CLI (command line interface) tool allows you to configure the same functionality through commands in a terminal. Both versions of the tool are supported for Windows, Linux, and macOS.

Follow the steps detailed below to import your smart card certificates onto your YubiKey using your preferred version of YubiKey Manager.

If you already have your smart card certificate stored on your YubiKey, skip to the next section: Smart Card Certificate Provisioning.

See Also
Stefans Weblog - YubiKey 5C NFC - Erste Schritte - Installation und SetupInstall the App — Yubico Authenticator User Guide documentation

YubiKey Manager GUI

To use the GUI version of YubiKey Manager to import your certificate, follow the steps below:

  1. If you haven’t already, download the appropriate version of the YubiKey Manager GUI tool onto your host computer. Click on the downloaded file and follow the prompts to complete the installation.

  2. Open the YubiKey Manager GUI tool and plug your YubiKey into your computer.

  3. On the homepage of the YubiKey Manager, click on the Applications drop-down menu and select PIV.

  4. Select Configure Certificates under the Certificates section.

  5. The YubiKey has 24 total PIV slots, four of which are accessible via the YubiKey Manager tool (9a, 9c, 9d, and 9e). Technically, all of these accessible slots can be used to hold an X.509 certificate for authentication, but slot 9a is intended to be used for this purpose. For more information on PIV application slots, check out the slot documentation.

    Select an empty slot and click Import.

  6. Navigate to the certificate file on your computer and select it to begin the import process.

    Remember, the public certificate AND its private key must be imported onto your YubiKey. While the YubiKey can store any X.509 certificate of the PEM, DER, and PKCS12 format, we recommend using the PKCS12 file type (which have .pfx or .p12 file extensions) because the public certificate and private key are stored in a single file.

  7. When prompted, enter the certificate’s password and click OK.

    Note

    If you do not know your certificate’s password, check with your admin (if applicable) or the certificate provider.

  8. Next, enter the PIV application management key and click OK.

    Note

    If you have not changed the management key using YubiKey Manager, the default managment key will be sufficient. If your YubiKey is managed by your organization, reach out to your admin for your management key.

  9. If the import was successful, the slot will display the issuer, subject name, and expiration date of the imported certificate.

  10. Repeat this process to import additional smart card certificates as needed.

YubiKey Manager CLI

If you prefer to use the command line version of the YubiKey Manager tool (ykman) to import your certificate, follow the steps below:

  1. Install ykman onto your host computer.

  2. ykman can be run within a command prompt, terminal, or PowerShell. Please see the ykman documentation for more information on configuring your system to do this.

  3. Once your system has been configured, open a command prompt, terminal, or PowerShell.

  4. Plug your YubiKey into your computer.

  5. The YubiKey has 24 total PIV slots, four of which are accessible via the YubiKey Manager tool (9a, 9c, 9d, and 9e). Technically, all of these accessible slots can be used to hold an X.509 certificate for authentication, but slot 9a is intended to be used for this purpose. For more information on PIV application slots, check out the slot documentation.

    Enter ykman piv info to check if any slots on your YubiKey are already occupied.

  6. Once you have identified an appropriate empty slot, navigate to the folder containing your smart card certificate.

  7. Enter ykman piv certificates import <slot> <filename> to import your certificate onto your YubiKey. <slot> refers to the slot number (e.g. 9a), and <filename> refers to the name of your certificate file (e.g. certificate.p12).

    Remember, the public certificate AND its private key must be imported onto your YubiKey. While the YubiKey can store any X.509 certificate of the PEM, DER, and PKCS12 format, we recommend using the PKCS12 file type (which have .pfx or .p12 file extensions) because the public certificate and private key are stored in a single file.

  8. When prompted, enter your certificate’s password and your PIV application management key.

    Note

    If you do not know your certificate’s password, check with your admin (if applicable) or the certificate provider. If you have not changed the management key using YubiKey Manager, the default managment key will be sufficient. If your YubiKey is managed by your organization, reach out to your admin for your management key.

  9. Enter ykman piv info again to verify that the certificate import was successful. You will see the slot number listed along with the certificate algorithm, subject DN, issuer DN, serial number, fingerprint, and the time period the certificate is valid for.

    Note

    For more information on ykman PIV commands, please see the ykman documentation.

  10. Repeat this process to import additional smart card certificates as needed.

Next Steps

Now that you have imported your smart card certificate onto your YubiKey, you may provision the certificate to your iOS Keychain through the Yubico Authenticator application on your iOS device.

To file a support ticket with Yubico, click Support.

Cookies | Privacy Policy

Import Smart Card Certificates onto your YubiKey — Yubico Authenticator User Guide documentation (2024)

FAQs

How to import certificate to YubiKey? ›

Step 1: Open YubiKey Manager and go to Applications, then click PIV.
  1. Step 2: From there, select the Configure Certificates option.
  2. Step 3: Choose the tab corresponding to the YubiKey slot where the key pair was generated.
  3. Step 4: In the next step, click on the Import button.
May 19, 2023

View More
How do I import a smart card certificate? ›

To do so:
  1. Open the Microsoft Management Console (MMC) that contains the Certificates snap-in.
  2. In the console tree, under Personal, click Certificates.
  3. On the All Tasks menu, click Import to start the Certificate Import Wizard.
  4. Click the file that contains the certificates that you are importing.
Feb 25, 2024

Explore More
How do I view my YubiKey certificates? ›

Perform the below steps on the Windows workstation you enrolled for the certificate using a YubiKey.
  1. Launch PKI Client:
  2. Click on the Security Device icon to view all certificates installed on the YubiKey:
  3. Click on View certificate details to view the contents of the certificate:
Jun 13, 2024

Discover More
How do I import a certificate? ›

In the left pane of the console, double-click Certificates (Local Computer). Right-click Personal, point to All Tasks, and then select Import. On the Welcome to the Certificate Import Wizard page, select Next. On the File to Import page, select Browse, locate your certificate file, and then select Next.

Explore More
How many Certificates does YubiKey have? ›

A PIV-enabled YubiKey NEO holds 4 distinct slots for certificates and a YubiKey 4 & 5 holds 24, as specified in the PIV standards document. Each of these slots is capable of holding an X.

Read The Full Story
How do I download a smart card certificate? ›

How to Download Smart Card Certificates for Web and Email Use
  1. Open a web browser.
  2. Go to DoD Cyber Exchange NIPR (cyber.mil).
  3. In the PKI and PKE Tools section, naviagate to the PKI CA Certificate Bundles: PKCS#7 section. ...
  4. Unzip the files and follow the directions in README.

Learn More
What is the smart card certificate used for? ›

A smart card is a physical device, usually a plastic card with a microprocessor, that can provide personal authentication using certificates stored on the card.

Read On
How do I extract certificates from smart card? ›

In the navigation pane, select Certificates. In the details pane, locate the certification authority certificate that was issued for the Smart Card template. This file should have the name of your Smart card user. Right-click this certificate, select All Tasks, and then choose Export.

Find Out More
Can someone use my YubiKey? ›

YubiKeys offer the highest level of security to fight modern cyber threats. Without physically having access to your security key, a bad actor won't be able to access your account. The keys protect against today's modern phishing attacks and provide peace of mind that sensitive information stays secured.

Tell Me More
Why is YubiKey better than Authenticator app? ›

Yubikey Authenticator boasts a higher level of security compared to software-based solutions. It can be used across multiple devices and even offers the convenience of passwordless login. However, it does have some drawbacks. Unlike Google Authenticator, Yubikey Authenticator lacks the ability to transfer backups.

Tell Me More

What is the difference between YubiKey and Security Key? ›

The Security Key Series differs from a YubiKey 5 Series in that it comes only with the FIDO (FIDO2/FIDO U2F) protocol and the non-Enterprise Edition does not have a serial number. It is only available in USB-A + NFC and USB-C + NFC form factors.

Get More Info
How do I upload certificates to YubiKey? ›

The JoinNow client now enrolls and configures the YubiKey for a certificate. When it indicates you have joined the network, click Done. Open the Yubikey Manager and click Applications > PIV > Configure Certificates to verify the SecureW2 certificate successfully installed on your YubiKey.

Tell Me More
Does YubiKey remember passwords? ›

The OTP application slots on the YubiKey are capable of storing static passwords in place of other configurations.

Get More Info Here
How many credentials does YubiKey have? ›

FIDO2 - the YubiKey 5 can hold up to 25 discoverable credentials (AKA hardware-bound passkeys) in its FIDO2 application.

Tell Me More
How do I import Certificates into key vault? ›

  1. On the page for your key vault, select Certificates.
  2. Click on Generate/Import.
  3. On the Create a certificate screen choose the following values: Method of Certificate Creation: Import. Certificate Name: ExampleCertificate. Upload Certificate File: select the certificate file from disk. ...
  4. Click Create.
Jan 30, 2024

Read More
How do I import SSL Certificates and keys? ›

Click System > System Security. Click Console Certificate. Click Import Certificate and Key. In the Server Certificate File field, browse to and select the certificate file that you want to import.

View More
How do I import a certificate into keychain? ›

Add certificates to a keychain using Keychain Access on Mac
  1. In the Keychain Access app on your Mac, select either the login or System keychain.
  2. Drag the certificate file onto the Keychain Access app.
  3. If you're asked to provide a name and password, type the name and password for an administrator user on this computer.

Keep Reading
How do I import a certificate into private key entry? ›

Convert the certificate and private key to PKCS 12
  1. In a Command Prompt or Terminal window, change to the directory [install-dir]/conf.
  2. Execute the command: openssl pkcs12 -export -in [<em>filename-certificate</em>] -inkey [<em>filename-key</em>] -name [<em>host</em>] -out [<em>filename-new</em>-PKCS-12.p12]

Read On

References

Top Articles
Quesabirria Tacos Recipe
Koop iPhone 15 Pro en iPhone 15 Pro Max
Cheryl Terrell Net Worth
The ‘Pop’ Enigma: Revisiting U2’s Most Misunderstood Album 20 Years Later
Destiny 2 A Rising Chorus Act 3 Quest Steps - ProGameTalk
Panolian Batesville Ms Obituaries 2022
Greyson Estep Obituary
Panama City News Herald Obituary
Floor Mats Custom | FloorLiner | WeatherTech
6 Best Doublelist Alternatives Worth Trying in 2024
A-LOK Products, Inc.
Chemena Kamali on Femininity, Power Dressing, and Remaking Chloé for a New Era
Latest Posts
Easy Low Calorie Cupcakes Recipe
How to Make Pickles (Pickled Cucumber Recipe & Best Canning Method)
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 6046

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.