Steps For Generating CSR and Key Attestation with YubiKey Token
YubiKey offers a hardware-based solution that allows you to generate the CSR securely on the YubiKey device itself rather than on your computer. This provides higher security and assurance compared to traditional methods of creating a CSR.
Additionally, YubiKey supports key attestation, which cryptographically proves that your public key is stored on a genuine YubiKey token. This binds your identity to the physical YubiKey device.
This guide will walk you through the steps to create a CSR and key attestation using the YubiKey token and YubiKey Manager software.
Key Takeaways
- A Certificate Signing Request (CSR) contains information about your organization and public key and is submitted to a Certificate Authority (CA) to obtain a trusted SSL certificate.
- YubiKey allows you to generate a CSR directly on the hardware token, which provides increased security compared to creating it on your computer.
- To generate a CSR on YubiKey, you need the YubiKey Manager software and the ability to enable the PIV smart card functionality.
- After entering information like organization names and domain names, the CSR can be exported from YubiKey Manager and submitted to the CA.
- Key attestation provides cryptographic proof that your public key resides on a genuine YubiKey hardware token.
- It binds your identity to the YubiKey by digitally signing the public key with Yubico’s attestation key.
- You can obtain a key attestation certificate by generating a CSR through YubiKey Manager with attestation enabled.
Prerequisites
Before you can generate a CSR on your YubiKey, you need to complete the following prerequisites:
- YubiKey Device: You need a compatible YubiKey device, such as the YubiKey 5 Series or YubiKey 5C NFC. The YubiKey must be unlocked with a PIN code to generate the CSR.
- YubiKey Manager: You need a YubiKey Manager to access your YubiKey’s PIV applet functionalities. Download and install the latest version of this software.
- PIV Enabled: The PIV (Personal Identity Verification) applet must be enabled on your YubiKey. This allows the YubiKey to function as a smart card for generating and storing certificates.
- Subject Information: When creating the CSR, you will need to provide information such as your organization’s legal name, department, city, state, etc.
- Domain Names: A list of domain names (like example.com) to be included in the CSR, which will be bound to the SSL certificate.
Enabling PIV Functionality on YubiKey
By default, the PIV applet is not enabled on new YubiKeys. To generate the CSR, you must first allow the PIV to functionality:
- Insert your YubiKey into a USB port on your computer and launch the YubiKey Manager application.
- Select your YubiKey and click Configure.
- Under Applications, select the PIV.
- Check the box to Enable the PIV application.
- Set a PIN code which will be required to generate the CSR on your YubiKey.
- Under PIN Policy, select Always to enforce PIN entry.
- Click Write Configuration to program your YubiKey.
The YubiKey will now behave as a PIV smart card that allows you to generate CSR.
Generating CSR using YubiKey Manager
Here are step-by-step instructions to generate a Certificate Signing Request on your YubiKey using the YubiKey Manager:
- Insert the configured YubiKey into your computer’s USB port and launch YubiKey Manager.
- Select your YubiKey and click on the Certificates
- Click on Generate New Certificate Request. This will start the CSR generation wizard.
- Select Object: Choose the object type for the Certificate Request.
- Attestation Type: Select Yubico (PIV) Attestation if you need a key attestation certificate.
- Subject: Enter details like Organization, Department, City, State, etc.
- Subject Alternative Names: Enter all the domain names to be included in the CSR.
- Key Type: Choose either RSA 2048 bit or ECC P-256 keys.
- PIN Policy: Select Always to enforce PIN entry.
- Review the CSR details and click Generate to create the CSR on your YubiKey.
- Enter your PIN when prompted to access the PIV functionality.
- The Certificate Signing Request will now be generated and stored on your YubiKey device.
- Click Export and save the CSR file to submit it to the Certificate Authority.
Once you receive the signed SSL certificate from the CA, you can import it back onto the YubiKey using YubiKey Manager.
What is Key Attestation
When you select Yubico (PIV) Attestation while generating the CSR via YubiKey Manager, key attestation for your SSL certificate is enabled.
Key attestation provides cryptographic proof that your public key is stored on a genuine YubiKey hardware device made by Yubico.
Here is how it works:
- Your public key is hashed to produce a unique fingerprint.
- This fingerprint is then signed with Yubico’s PIV attestation private key, which is stored securely on YubiKey hardware.
- This results in a digital signature that is included in your CSR.
- The Certificate Authority verifies this signature using Yubico’s public attestation key.
- If valid, it proves your public key resides on a real YubiKey device not vulnerable software.
- The CA then issues the certificate binding your identity to your YubiKey.
Key attestation gives the Relying Parties confidence that your private key is stored securely on a YubiKey token and not an imposter.
Submitting CSR to Certificate Authority
Once you have exported the CSR file from YubiKey Manager, you can proceed to purchase your SSL certificate from a trusted Certificate Authority:
- Research and find a suitable CA that offers SSL certificates that meet your needs.
- Purchase the certificate solution for your desired validity period (1-2 years typically).
- Follow the CA’s instructions to create an account on their portal.
- Upload your CSR file during the certificate issuance process.
- The CA will verify the information in the CSR, including the key attestation.
- If approved, the CA will sign your CSR and generate the SSL certificate containing your public key.
- Download the SSL certificate chain issued from the CA portal.
- Import the SSL certificate back into the YubiKey via YubiKey Manager.
- Install the SSL certificate on your web server to complete the setup.
The SSL certificate signed by the CA will inherit the key attestation, providing assurances that the YubiKey secures your private key.
Final Thoughts
Generating a Certificate Signing Request directly on a YubiKey device enhances security compared to traditional CSR creation methods. The private key remains securely stored on the YubiKey hardware and is not exposed to the computer.
Enabling key attestation provides trusted validation that your identity is bound to the tamper-resistant YubiKey, which unlocks additional assurances.
By following the steps outlined in this guide, you can leverage YubiKey’s cryptographic capabilities to produce a Certificate Signing Request and obtain an SSL certificate with key attestation to establish trust with users.
FAQs About CSR and Key Attestation Using YubiKey Token
What is the difference between a YubiKey PIV attestation and a regular CA signature?
The main difference is that PIV attestation involves Yubico digitally signing your public key to attest it resides on genuine YubiKey hardware. A regular CA signature only verifies the identity information in the CSR and does not provide hardware validation.
Do all YubiKeys support generating a Certificate Signing Request?
No, only the YubiKey 5 Series and later models like YubiKey 5C NFC support the PIV protocols required to generate CSRs. The YubiKey 4 series does not have this capability.
Can I request a wildcard certificate using a YubiKey CSR?
Yes, you can request a wildcard SSL certificate by including the domain name with a wildcard (like *.yourdomain.com) in the Subject Alternative Names field when generating the CSR. The CA will then issue a cert with a wildcard.
What key types are supported for CSR generation on the YubiKey?
YubiKey supports both RSA (2048 bit) and ECC (P-256 and P-384 curves) key types for the public/private key pair stored for PIV operations like CSR generation.
Is a YubiKey required for certificate renewal if I used it for the original CSR?
You typically do not need the YubiKey for renewal with the same private key. Most CAs allow renewal via the original CSR or automated through their portal.
Can I generate a client certificate CSR using the YubiKey for mutual TLS authentication?
Yes, the process of generating a client certificate CSR is the same. When going through the CSR generation steps, just choose the client certificate as the object type instead of the server certificate.
What is the maximum certificate validity period when using YubiKey for CSR?
Most CAs will allow a 2–3-year certificate validity when the YubiKey and key attestation are used. Cryptography has at least 5–10-year validity, so a longer expiry could be possible.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.