This guide will show you how to set up your YubiKey NEO (or YubiKey NEO-n) to hold your signing certificate so you can sign your code. Also included are instructions on how to sign a Windows executable. 


You will need the following:

  • Your signing certificate
  • The PIV tool (command line interface) or the PIV Manager (graphical interface); the instructions in this guide use the command line interface (both are available from our knowledge base downloads
  • A Windows executable (if you will be signing another file, change the instructions to suit your requirements)

Setting Up Your YubiKey NEO or NEO-n

  1. Install the PIV tool, if you have not already done so.
  2. Insert your YubiKey NEO or YubiKey NEO-n. The following examples use a YubiKey NEO.
  3. At the command line, type the following command:
    yubico-piv-tool -s 9c -i signcert.pfx -K PKCS12 -p 123456 -a set-chuid -a import-key -a import-cert

    There are three actions that will be performed. First, the command creates a new random CardHolder Unique Identifier (chuid), then it uses the PFX file to import both the private key and the certificate. All this information will be stored in slot 9c on the YubiKey, which in the PIV language means digital signature. (For more information on the digital certificate slot on the YubiKey NEO, see Certificate Slots.) The -p parameter is used to provide the tool with the Export/Import passphrase.

  4. Once you’ve successfully imported the information onto the YubiKey, Windows automatically recognizes the certificates inside and saves them in your certificate store. To verify this, run the certificate manager (certmgr.exe) and look into the Personal certificate store of the current user.If you now try to sign an executable (see the following instructions), Windows recognizes that your information is stored on a smart card device and you are prompted to connect the device (in this case, your YubiKey) and to provide the correct PIN.
  5. Once you’re done, unplug your YubiKey and your private key is now safely stored away from your system.

Signing Your Windows executable

Now, we’re almost there. In order to perform the actual signing you will have to install Microsoft SignTool. It can be found in the Windows SDK within the .NET Framework 4. Or you can download it here.

SignTool is installed, by default, in C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin. Use it from there (or add it to your PATH variable and use it from another location). In order to sign your application, execute the following command:

signtool sign /t superawesome.exe

The  optional parameter /t allows you to use an RFC3161-compliant timestamp server. This is used to securely stamp your digital signature with a time and a date. Finally, if you check the properties of superawesome.exe you will see that the Digital Signatures tab has been added, with all the related information.

in How To