Two in one
I tried to send a mail today, but failed. Evolution was complaining about a certificate issue. It appeared my personal certificate was expired. Then I suddenly realized I had a new Yubikey laying around. Why not put the new certificate on the new Yubikey, so I have my old key available if older mails need to be decrypted.
In my opinion the correct way is to generate the key pair on the hardware device itself. I knew it was possible, but had to figure it out. This will not be the last time I assume, so I have documented the steps for future reference.
Procedure
I am using a new Yubikey, so I started with resetting it to be sure:
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: <lots of digits>
Enable the reserved key management certificate slots:
$ echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -
Generate the key on the device:
$ yubico-piv-tool -a generate -s 9a -A ECCP384 -k -o pub.key
Create the certificate signing request (CSR):
$ yubico-piv-tool -a verify-pin -a request-certificate -s 9a -S '/CN=sectigo/OU=test/O=vleeuwen.net/' -i pub.key -o csr.pem
Import the "real" certificate I received from the CA:
$ yubico-piv-tool -a import-certificate -s 9a -i certs.pem
Successfully imported a new certificate.
And the last things not to forget:
$ ykman piv change-pin
Enter your current PIN:
Enter your new PIN:
Repeat for confirmation:
New PIN set.
$ ykman piv change-puk
Enter your current PUK:
Enter your new PUK:
Repeat for confirmation:
New PUK set.
$ ykman piv change-management-key --touch --generate
Enter your current management key [blank to use default key]:
Generated management key: <lots of digits>
Done.