1. Home
  2. yubico-piv-tool
  3. Actions
  4. key import

    Key Import

    yubico-piv-tool -a import-key -s <slot> -k [ -P <PIN code> --pin-policy <never|once|always|matchonce|matchalways> --touch-policy <never|always|cached> -i <input file> -p <input file password> -K <input file format> ]
yubico-piv-tool -a import-certificate -s <slot> -k [ -i <input file> -K <input file format> ]
yubico-piv-tool -a import-key -a import-certificate -s <slot> -k [ -P <PIN code> --pin-policy <never|once|always|matchonce|matchalways> --touch-policy <never|always|cached> -i <input file> -p <input file password> -K <input file format> ]

    Description

    Imports a key, a certificate or both into the Yubikey PIV interface. The largest accepted keys are of size 2025/3049 bytes for current versions of YubiKey NEO and YubiKey 5, respectively; however, it is possible to import larger certificates but that requires compression in order for it to fit (see examples bellow).

    This action is also used to import decryption keys (aka. key management keys typically found in slot 9d) into the retired slots (slots 82-95)

    Importing either a key or a certificate is an action that requires authentication, which is done by providing the management key. If no management key is provided, the tool will try to authenticate using the default management key.
    [It is strongly recommended to change the Yubikey’s PIN, PUK and management key before start using it.]

    Parameters

    Parameter

    Required

    Optional

    Description

    Possible values

    Default value

    -s, --slot

    X

    What key slot to operate on

    9a, 9c, 9d, 9e, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9

    -k, --key

    X

    Management key to use, if no value is specified key will be asked for

    010203040506070801020304050607080102030405060708

    -i, --input

    X

    Filename to use as input. If left out, input will be read from Stdin

    None or file name

    Stdin

    -K, --key-format

    X

    Format of the key/certificate being read/written

    PEM, PKCS12, GZIP, DER, SSH

    PEM

    -p, --password

    X

    Password for decryption of private key file, if omitted password will be asked for

    -P, --pin

    X

    Pin/puk code for verification, if omitted pin/puk will be asked for

    --pin-policy

    Set pin policy applicable for the slot containing the key. Only available on YubiKey 4 or newer

    never, once, always, matchonce (applicable with bio verification), matchalways (applicable for with verification)

    always on slot 9c and once on slots 9a, 9d and 9e

    --touch-policy

    Set touch policy applicable for the slot containing the key. Only available on YubiKey 4 or newer

    never, always, caches

    never

    Examples

    yubico-piv-tool -a import-key -a import-certificate -s 9c -k -i key.pfx -K PKCS12
Enter Password:
Enter management key:
Successfully imported a new private key.
Successfully imported a new certificate.

    yubico-piv-tool -a import-certificate -s 9c -k -i cert_large.gz -K GZIP
Successfully imported a new certificate.