I tried to send a mail today, but failed. Evolution was complaining about a certificate issue. It appeared my personal certificate was expired. Then I suddenly realized I had a new Yubikey laying around. Why not put the new certificate on the new Yubikey, so I have my old key available if older mails need to be decrypted.
In my opinion the correct way is to generate the key pair on the hardware device itself. I knew it was possible, but had to figure it out. This will not be the last time I assume, so I have documented the steps for future reference.
I am using a new Yubikey, so I started with resetting it to be sure:
$ ykman piv reset WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y Resetting PIV data... Success! All PIV data have been cleared from your YubiKey. Your YubiKey now has the default PIN, PUK and Management Key: PIN: 123456 PUK: 12345678 Management Key: <lots of digits>
Enable the reserved key management certificate slots:
$ echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -
Generate the key on the device:
$ yubico-piv-tool -a generate -s 9a -A ECCP384 -k -o pub.key
Create the certificate signing request (CSR):
$ yubico-piv-tool -a verify-pin -a request-certificate -s 9a -S '/CN=sectigo/OU=test/O=vleeuwen.net/' -i pub.key -o csr.pem
Import the "real" certificate I received from the CA:
$ yubico-piv-tool -a import-certificate -s 9a -i certs.pem Successfully imported a new certificate.
And the last things not to forget:
$ ykman piv change-pin Enter your current PIN: Enter your new PIN: Repeat for confirmation: New PIN set.
$ ykman piv change-puk Enter your current PUK: Enter your new PUK: Repeat for confirmation: New PUK set.
$ ykman piv change-management-key --touch --generate Enter your current management key [blank to use default key]: Generated management key: <lots of digits>