Two in one

I tried to send a mail today, but failed. Evolution was complaining about a certificate issue. It appeared my personal certificate was expired. Then I suddenly realized I had a new Yubikey laying around. Why not put the new certificate on the new Yubikey, so I have my old key available if older mails need to be decrypted.

In my opinion the correct way is to generate the key pair on the hardware device itself. I knew it was possible, but had to figure it out. This will not be the last time I assume, so I have documented the steps for future reference.

Procedure

I am using a new Yubikey, so I started with resetting it to be sure:

$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
        PIN:    123456                                              
        PUK:    12345678
        Management Key: <lots of digits>

Enable the reserved key management certificate slots:

$ echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -

Generate the key on the device:

$ yubico-piv-tool -a generate -s 9a -A ECCP384 -k -o pub.key

Create the certificate signing request (CSR):

$ yubico-piv-tool -a verify-pin -a request-certificate -s 9a -S '/CN=sectigo/OU=test/O=vleeuwen.net/' -i pub.key -o csr.pem

Import the "real" certificate I received from the CA:

$ yubico-piv-tool -a import-certificate -s 9a -i certs.pem
Successfully imported a new certificate.

And the last things not to forget:

$ ykman piv change-pin
Enter your current PIN:
Enter your new PIN:
Repeat for confirmation:
New PIN set.
$ ykman piv change-puk
Enter your current PUK:
Enter your new PUK:
Repeat for confirmation:
New PUK set.
$ ykman piv change-management-key --touch --generate
Enter your current management key [blank to use default key]:
Generated management key: <lots of digits>

Done.