This is a short step-by-step on how to import or generate a key on a YubiKey, create a certificate request, submit that request to a Windows CA and then load the certificate on the YubiKey. As an alternative, it also instructs you how to import a private key and certificate from a .pfx file for use on a YubiKey.
a YubiKey with the PIV application loaded
the yubico-piv-tool software
credentials to request certs from a Windows CA
Import or generate the key in slot 9a:
Import a key:
yubico-piv-tool -s 9a -a import-key -i key.pem
Generate a key:
yubico-piv-tool -s 9a -a generate -o public.pem
Request a certificate:
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \ -S "/CN=example/O=test/" -i public.pem -o request.csr
Submit the request to the Windows CA: (this step must be run on a windows machine that know about the CA)
certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt Note in the argument `"CertificateTemplate:User"`, `User` should be replaced with the template the certificate is to be used for. For example, if creating a new smart card login template named "YubicoSC", use `"CertificateTemplate:YubicoSC"`
Load the certificate on the YubiKe: (--key[=STRING] is needed if the management key value is not the default value)
yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING]
For it to be useful in windows a chuid must be set as well: (only if that wasn’t done earlier) (--key[=STRING] is needed if the management key value is no longer the default value)
yubico-piv-tool -a set-chuid --key[=STRING]
Both the key and certificate can be imported with a single command (for slot 9a): When prompted, enter the password for the .pfx file. (--key[=STRING] is needed if the management key value is no longer the default value)
yubico-piv-tool -s 9a -i myfile.pfx -K PKCS12 -a import-key -a import-cert --key[=STRING] Enter Password: Successfully imported a new private key. Successfully imported a new certificate.