Transferring Your Private Key To A Smartcard (Yubikey)

2021-07-21 (Updated: 2021-09-30)

3 minute read

Getting a Certificate

There are plenty of guides online on how to generate a (self-signed) certificate for PIV (x509) or GPG certificate. This guide will not lead you through these steps. It is assumed you already have one or can obtain one through one of the links below.

PIV: Obtain an S/MIME certificate from Actalis using this link.

GPG: Create a Protonmail account and download the corresponding private key by following their guide. As a neat aside, you can choose between a @protonmail.com or @pm.me domain email! 🙌

Importing a PIV (S/MIME) Certificate

If you’re using a Yubikey, you can use the YubiKey Manager to import the certificate into your smartcard. The ykman executable is another way to import PIV keys.

$ ./ykman piv
Usage: ykman.exe piv [OPTIONS] COMMAND [ARGS]...

  Manage the PIV application.

  Examples:

    Generate an ECC P-256 private key and a self-signed certificate in
    slot 9a:
    $ ykman piv keys generate --algorithm ECCP256 9a pubkey.pem
    $ ykman piv certificates generate --subject "CN=yubico" 9a pubkey.pem

    Change the PIN from 123456 to 654321:
    $ ykman piv access change-pin --pin 123456 --new-pin 654321

    Reset all PIV data and restore default settings:
    $ ykman piv reset

Options:
  -h, --help  Show this message and exit.

Commands:
  info          Display general status of the PIV application.
  reset         Reset all PIV data.
  access        Manage PIN, PUK, and Management Key.
  certificates  Manage certificates.
  keys          Manage private keys.
  objects       Manage PIV data objects.

This tool is available on Linux using these instructions. On Windows, the executable is located within the Yubikey Manager’s executable directory (C:\Program Files\Yubico\Yubikey Manager).

If you’re not using a Yubikey, then you’ll have to use some third-party middleware to communicate with the Smartcard’s x509 slots. The open-source project, OpenSC, has a convenient tool called piv-tool that can interact with various smartcards’s PIV slots.

Another alternative is to use the elusive ActivClient software. This is what the United States Department of Defense (DoD) uses all around. You could look around on the web to see where you can get a free copy.

Importing a GPG (openPGP) Certificate

Transferring, or importing, the private onto the Smartcard is a bit easier than importing PIV certificates. You can use the usual gpg tools.

## NOTE: the key is already imported here (use this to check the card status)
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID
Application ID ...: D2760001240100000006157513730000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: #########
Name of cardholder: Andrew Tec
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://api.protonmail.ch/pks/lookup?op=get&search=########@pm.me
Login data .......: andrew.tec
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 8 0 4
Signature counter : 33
KDF setting ......: on
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: #### #### #### ####  #### #### #### #### ####
      created ....: 2018-10-15 03:02:42
Encryption key....: #### #### #### ####  #### #### #### #### ####
      created ....: 2018-10-15 03:02:42
Authentication key: #### #### #### ####  #### #### #### #### ####
      created ....: 2018-10-15 03:02:42
General key info..: pub  rsa2048/50245D44B17AA35F 2018-10-15 "#########@pm.me" <########@pm.me>
sec>  rsa2048/################  created: 2018-10-15  expires: never
                                card-no: 0006 15751373
ssb>  rsa2048/################  created: 2018-10-15  expires: never
                                card-no: 0006 15751373
ssb>  rsa2048/################  created: 2018-10-15  expires: never
                                card-no: 0006 15751373

$ gpg --edit-key #########@pm.me
gpg --edit-key #########@pm.me
gpg (GnuPG) 2.3.1; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/##############
     created: 2018-10-15  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa2048/##############
     created: 2018-10-15  expires: never       usage: E
ssb  rsa2048/##############
     created: 2018-10-15  expires: never       usage: SA
[ultimate] (1). "##########@pm.me" <###########@pm.me>

gpg> keytocard
# yes to everything...

On Windows

You can use two packages provided by Chocolatey: gnupg or Gpg4win. Opt for the former and the instructions is the same as above. If you prefer a GUI, Gpg4Win provides not only the typical gpg executable but also provides a program called Kleopatra, which could be used to import, export, and transfer keys to the smartcard.