Both EV code signing and PDF document signing certificates require that your private key be generated and stored on a secure device with two-factor authentication. With the 3.2 update to SSL Manager, SSL.com’s Windows certificate manager, you can generate key pairs directly on a Yubikey FIPS and associate them with SSL.com certificate orders.
Before working with your YubiKey in SSL Manager, you’ll need to install the latest version (currently 3.2). The installer can be downloaded by clicking the button below, and this guide provides complete installation instructions.
SSL Manager is only available for Windows, but Mac and Linux users can also install EV code signing and document signing certificates on their YubiKeys by following these instructions.
Generating a Key Pair and Ordering a Certificate
1. Before you order a certificate to be installed on your YubiKey, you must first generate a key pair. If you’ve used SSL Manager in the past you’ll notice that there’s a new YubiKey drop-down menu in version 3.2.
2. With your YubiKey connected to the computer, select Yubikey > Generate Key Pair from the menu.
3. The Generate Key Pair dialog box will appear. First, select the purpose for the key pair you are generating. Here, we are going to generate a key pair for EV code signing.
4. Next enter the Management Key for your YubiKey.
5. Click the Generate Key Pair button.
6. After a few seconds, a dialog box should appear saying that the key pair has been generated. Click the OK button to dismiss the dialog box.
7. At this point, you can choose between automatic and manual submission of the YubiKey attestation certificate to SSL.com. Use the clickable tabs below for instructions on each method.
8. Begin the automatic submission process by selecting the automatic submission option and clicking the OK button.
9. A dialog box will appear, listing mandatory fields for document signing and EV code signing certificates. Click the OK button to dismiss the dialog box.
10. Enter the Subject Information for the certificate in the form. Make sure to include all mandatory fields for the type of certificate that you plan to order. In this case, since we are ordering an EV certificate, we’re including information about the company but not an individual person.
11. Click the Attest button.
12. If prompted, enter your SSL.com Login and Password, then click the Login button.
13. A dialog box should appear saying that the key pair has successfully been attested. Click the OK button to dismiss the dialog box.
14. Click the Send to SSL.com button.
15. The Place Order window will open. If you have any appropriate existing orders available, you can choose one by selecting Existing Vouchers and selecting an order. In our case here there are no existing orders so we’ll make a new one in the next step.
16. To create a new certificate order, check the New Certificate Order radio button and select the Certificate Type, then choose a Validity Period from the drop-down menu. Here, only EV code signing is available because of the subject information we entered above in step 14.
17. Next, enter contact information for the order.
18. Click the Place Order button.
19. A dialog box will appear saying that the order has been placed. Click the OK button to close the dialog box.
20. Your new order will be shown as pending in the main SSL Manager window.
21. If you log into your SSL.com account, you will see that the new order is present, with a status of validation required.
22. At this point, you should proceed with the necessary validation steps for the certificate type you ordered. For more information, please see:
- For EV code signing: Extended Validation (EV) requirements
- For document signing: Organization/Individual Validation (OV/IV) requirements
23. When the certificate order as been validated and issued, the order status will change to Certificate Issued in the SSL Manager window.
24. To install the certificate on your YubiKey, right-click the order and select Install Certificate from the menu.
25. Enter your YubiKey’s management key and PIN, then click the Import Certificate button.
26. A dialog box will appear when the certificate has been imported. Click the OK button to close the dialog box.
27. SSL Manager will now show the new certificate as installed.
8. Begin the manual submission process by selecting the manual submission option and clicking the OK button.
9. At this point, you can choose to submit your certificate order via SSL Manager or your SSL.com user portal account. To use SSL Manager, simply select YubiKey > Order Certificate from the menu, then switch tabs in this how-to and continue from step 9 in the automated submission method.
10. If you prefer to place your order in the SSL.com user portal, select YubiKey > Key Pair Attestation from the menu.
11. Select the purpose for the key pair you generated, then click the Attest button.
12. A new window will appear with your attestation and intermediate certificates. These can be used with certificate orders in the SSL.com user portal to prove that the key pair was generated on your YubiKey. At this point you can either copy and paste the certificates into a text file for later use, or go directly to the next step in your user account portal.
13. The next step is to associate the attestation and intermediate certificates with a certificate order in your SSL.com user account portal. Create a new order or navigate to an existing one, then click the open link.
14. Click the manage link, under attestation.
15. Copy and paste your attestation certificate and intermediate certificate into the fields provided, then click the Submit button.
16. Upon successful attestation, a green banner will appear at the top of the screen.
17. At this point, if you have not already gone through validation for the order, you should proceed with the necessary validation steps for the certificate type you ordered. For more information, please see:
- For EV code signing: Extended Validation (EV) requirements
- For document signing: Organization/Individual Validation (OV/IV) requirements
18. When your certificate order has been validated and issued, click its download link in the portal.
19. Click the download link labeled single bundle and save the file on your computer.
20. Now you can install the certificate on your YubiKey. Navigate to YubiKey > Import Certificate in the SSL Manager menu.
21. Select the Certificate Purpose. For this order, it’s EV Code Signing.
22. Enter your YubiKey’s Management Key and PIN, then use the Browse button to select the certificate you downloaded in step 19.
23. Click the Import Certificate button.
24. A dialog box will appear when the certificate has been imported. Click the OK button to close the dialog box.
25. You will be returned to the SSL Manager window. Note that, unlike with the automated process, manual orders do not appear in the application window. However, the certificate is installed on the YubiKey.