Transferring Your Private Key To A Smartcard (Yubikey)
Getting a Certificate
There are plenty of guides online on how to generate a (self-signed) certificate for PIV (x509) or GPG certificate. This guide will not lead you through these steps. It is assumed you already have one or can obtain one through one of the links below.
PIV: Obtain an S/MIME certificate from Actalis using this link.
GPG: Create a Protonmail account and download the corresponding private key by following their guide. As a neat aside, you can choose between a @protonmail.com
or @pm.me
domain email! 🙌
Importing a PIV (S/MIME) Certificate
If you’re using a Yubikey, you can use the YubiKey Manager to import the certificate into your smartcard. The ykman
executable is another way to import PIV keys.
$ ./ykman piv
Usage: ykman.exe piv [OPTIONS] COMMAND [ARGS]...
Manage the PIV application.
Examples:
Generate an ECC P-256 private key and a self-signed certificate in
slot 9a:
$ ykman piv keys generate --algorithm ECCP256 9a pubkey.pem
$ ykman piv certificates generate --subject "CN=yubico" 9a pubkey.pem
Change the PIN from 123456 to 654321:
$ ykman piv access change-pin --pin 123456 --new-pin 654321
Reset all PIV data and restore default settings:
$ ykman piv reset
Options:
-h, --help Show this message and exit.
Commands:
info Display general status of the PIV application.
reset Reset all PIV data.
access Manage PIN, PUK, and Management Key.
certificates Manage certificates.
keys Manage private keys.
objects Manage PIV data objects.
This tool is available on Linux using these instructions. On Windows, the executable is located within the Yubikey Manager’s executable directory (C:\Program Files\Yubico\Yubikey Manager
).
If you’re not using a Yubikey, then you’ll have to use some third-party middleware to communicate with the Smartcard’s x509 slots. The open-source project, OpenSC, has a convenient tool called piv-tool
that can interact with various smartcards’s PIV slots.
Another alternative is to use the elusive ActivClient software. This is what the United States Department of Defense (DoD) uses all around. You could look around on the web to see where you can get a free copy.
Importing a GPG (openPGP) Certificate
Transferring, or importing, the private onto the Smartcard is a bit easier than importing PIV certificates. You can use the usual gpg
tools.
## NOTE: the key is already imported here (use this to check the card status)
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID
Application ID ...: D2760001240100000006157513730000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: #########
Name of cardholder: Andrew Tec
Language prefs ...: en
Salutation .......: Mr.
URL of public key : https://api.protonmail.ch/pks/lookup?op=get&search=########@pm.me
Login data .......: andrew.tec
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 8 0 4
Signature counter : 33
KDF setting ......: on
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: #### #### #### #### #### #### #### #### ####
created ....: 2018-10-15 03:02:42
Encryption key....: #### #### #### #### #### #### #### #### ####
created ....: 2018-10-15 03:02:42
Authentication key: #### #### #### #### #### #### #### #### ####
created ....: 2018-10-15 03:02:42
General key info..: pub rsa2048/50245D44B17AA35F 2018-10-15 "#########@pm.me" <########@pm.me>
sec> rsa2048/################ created: 2018-10-15 expires: never
card-no: 0006 15751373
ssb> rsa2048/################ created: 2018-10-15 expires: never
card-no: 0006 15751373
ssb> rsa2048/################ created: 2018-10-15 expires: never
card-no: 0006 15751373
$ gpg --edit-key #########@pm.me
gpg --edit-key #########@pm.me
gpg (GnuPG) 2.3.1; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/##############
created: 2018-10-15 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/##############
created: 2018-10-15 expires: never usage: E
ssb rsa2048/##############
created: 2018-10-15 expires: never usage: SA
[ultimate] (1). "##########@pm.me" <###########@pm.me>
gpg> keytocard
# yes to everything...
On Windows
You can use two packages provided by Chocolatey
: gnupg
or Gpg4win
. Opt for the former and the instructions is the same as above. If you prefer a GUI, Gpg4Win
provides not only the typical gpg
executable but also provides a program called Kleopatra
, which could be used to import, export, and transfer keys to the smartcard.