How to use YubiKey FIPS versions for Code Signing Certificate?
Your code signing certificate could be kept secure and protected from hackers with the use of a YubiKey FIPS-compliant USB Token. Assuming you have a signing certificate in a .pfx format issued by a trustworthy certified certificate authority like Certera, Sectigo, or Comodo.
Let’s have a look at how to use Yubikey for Code Signing Certificate
How to Use a YubiKey FIPS-compliant USB Token for Code Signing Certificate? – A Complete Guide
If you are a Windows applications distributor or software developer, you are familiar with the significance of digitally signing certificates for your software. Such that a basic level of responsibility and trust could potentially be built between you and the consumers.
Additionally, you should know that this procedure is often carried out by obtaining a Windows Authenticode credential (a credential is a certificate plus its associated private key), which can subsequently be utilized to generate digital signatures for binary executables.
However, every individual additionally needs to know that if the signing security process provided the slightest chance, fraudulent people would make efforts to steal your code signing information which leads to unexplainable losses to the victim. If you’re a software developer, it requires just one malicious software to download for your authentication information and protective passwords to end up in the wrong hands.
Therefore, storing credentials on a disc is a highly dangerous decision, even if it is a portable USB drive you insert solely while signing binaries.
Therefore, you want to keep your login information on a specific, removable device that is perfectly made to secure that information. And that’s where the efficient and reasonably priced Yubico YubiKeys—come into action.
Process of Code Signing with the YubiKey FIPS-compliant USB Token
Prerequisite
- A YubiKey of any model. For say, Yubikey nfc (Yubikey 5 NFC/ Yubikey 5c NFC)
- You need a Code Signing Certificate you want to store in your Yubikey.
A. Getting the signtool.exe Utility.
We will utilize the “signtool.exe” to sign code on Windows operating systems. This function is distributed as a segment of the Windows SDK.
Use the https://go.microsoft.com/fwlink/p/?linkid=870807 link to install the SDK
B. Import the certificate to Yubikey and Install Yubikey Manager from Yubico.com
The stages to import the certificate are based on whether you already have installed the YubiKey smart card mini driver.
If you’re unsure, check Device Manager’s Smart Cards section. If the smart card appears as “Yubico Yubikey,” it indicates that the driver is installed. However, if it appears as “NIST,” it means that the driver is not installed.
To enable the mini driver for importing certificates for code signing, follow these steps.
- Open PowerShell as administrator.
- Run: reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateExchangeKeyImport /t REG_DWORD /d 1
- Run: reg add “HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider” /v AllowPrivateSignatureKeyImport /t REG_DWORD /d 1
- Run certutil –CSP “Microsoft Base Smart Card Crypto Provider” -importpfx C:\Path\to\your.pfx. Add the PIn. If you have not set a PIN, the default value is 123456.
- The Minidriver is required not to get prompted for the pin for every file.
Nevertheless, you will be forced whenever you run singtool.exe – it’s unavoidable.
Without Mini driver
- Install YubiKey Manager.
- Start PowerShell.
- Run: cd “%PROGRAMFILES%\Yubico\YubiKey Manager”
- Run: .\ykman piv import-key –pin-policy=once 9c C:\path\to\your.pfx . Enter your PFX PIN, Admin Key, and Password.
- Run: .\ykman piv import-certificate 9c C:\path\to\your.pfx When prompted, enter your PFX PIN, Admin Key, and Password.
You can now sign the code with your installed code signing certificate on the YubiKey.
C. Finding the Certificate’s Thumbprint
The SHA1 thumbprint is the most trustworthy method for assuring that the correct certificate is being utilized for signing. Follow the procedures below to obtain the thumbprint.
- Press Win+R to enter the execute menu and execute “certmgr.msc”.
- Go to Personal > Certificates in the left-side tree view.
- Double-click your certificate to open it; you should see Code Signing Listed in the Intended Purposes column.
- Select the Details tab.
- Choose the Thumbprints by scrolling to the bottom of the list.
- Ctrl+C will copy the value highlighted below to your clipboard.
D. Signing Your Software and Apps with Code Signing
- Open PowerShell.
- Run: cmd “%PROGRAMFILES(X86)%\Windows Kits\10\bin\x64”
- Run .\signtool sign /sha1 /fd SHA256 /t http://tsa.safecreative.org C:\path\to\your_application.exe Replace with the thumbprint you found in the previous section.
Note. The /t constraint is not obligatory (it is optional) and states the timestamp of the server server. It strongly stamps a digital signature, including time and date.
- Enter the PIN when prompted.
You have signed the executable file successfully with the certificate stored in the YubiKey. You can check the signature in the Digital Signature tab of the executable file properties.
E.Troubleshooting
Once importing of the key is done, again, there is a chance that the code signing failure. A quick and effective remediation for this is to disconnect and reconnect the Yubikey.
In conclusion, YubiKey is an effective tool for securing and protecting online accounts and code-signing certificates. In the steps explained above, software developers or distributors can guarantee the authenticity and integrity of signing code certificate credentials.
FAQs
What is a YubiKey code?
YubiKey is a security token that allows users to add a second factor of authentication to online services from vendors such as Google, Microsoft, Amazon, and Salesforce. The YubiKey, derived from the words ubiquitous key, looks like a USB stick.
The YubiKey code is nothing but a YubiKey passcode. The passcode is created by concatenating various YubiKey fields into a 128-bit long string and encrypting the string with the YubiKey configuration’s unique 128-bit AES key.
How do I use YubiKey for authentication?
YubiKey authentication process:
- Open the Yubico Authenticator app.
- Select the control icon to open the menu.
- Click on Scan account QR-code, then scan the QR code from the internet page.
- Make sure to save a duplicate of the QR code in a secure place.
- You can use this to create a backup YubiKey configured to utilize authenticator codes.
- It is usually great secure practice to ensure you’ve got a backup YubiKey.
How many certificates does YubiKey have?
YubiKey Version | Maximum Total Cert Space Available | Number of Certs at Size | Number of Certs at Maximum Size |
before 4.0 (e.g. NEO) | 8100 | 4 certs at 2025 bytes | 4 certs at 2025 bytes |
4.x | about 49,800 | 24 certs at 2075 bytes | 16 certs at 3052 bytes |
4.x FIPS | about 49,800 | 24 certs at 2075 bytes | 16 certs at 3052 bytes |
5.x | about 50,000 | 24 certs at 2084 bytes | 16 certs at 3052 bytes |
5.x FIPS | about 49,890 | 24 certs at 2079 bytes | 16 certs at 3052 bytes |
Is a YubiKey a private key?
Owners can protect private keys with the YubiKey by importing them or, better yet, by generating a private key directly on the YubiKey. Private keys cannot be exported or extracted from YubiKey. YubiKey supports multiple methods to enable hardware-enabled SSH authentication.
How to Use YubiKey for Certificate Configuration?
To get your YubiKey certificate:
Open the YubiKey Manager GUI tool and connect the YubiKey to the computer. Click the Applications drop-down menu on the YubiKey Manager home page and select PIV. Under Certificates, select Configure Certificates.
What is Key Generation and Attestation with Yubikey?
Each YubiKey comes pre-loaded with a private key and certificates from Yubico that let in you generate an attestation certificate to confirm that a private key has been generated on a YubiKey.
Is YubiKey FIPS compliant?
The YubiKey FIPS series offers great data security and protection against social engineering activities like phishing and account hijacking. It enables various organizations and government agencies to meet the highest authentic security requirements. YubiKey FIPS provides strong one-touch authentication.