There are two ways of getting private keys into a YubiKey: You can eithergenerate the keys directly on the YubiKey, or generate them outside of thedevice, and then importing them into the YubiKey. Reasons for importing keysinclude wanting to make a backup of a private key (generated keys arenon-exportable, for security reasons), or if the private key is provided by anexternal source. This document will guide you through using the OpenSSL commandline tool to generate a key pair which you can then import into a YubiKey. Twodifferent types of keys are supported: RSA and EC (elliptic curve).
Note
When generating a key pair on a PC, you must take care not to expose theprivate key. Ensure that you only do so on a system you consider to be secure.
Generating a private RSA key
Generate an RSA private key, of size 2048, and output it to a file named key.pem:
openssl genrsa -out key.pem 2048Generating RSA private key, 2048 bit long modulus..........+++..........................................................................+++e is 65537 (0x10001)
Extract the public key from the key pair, which can be used in a certificate:
After running these two commands you end up with two files: key.pem andpublic.pem. These files are referenced in various other guides on this pagewhen dealing with key import.
Right-click the openssl.exe file and select Run as administrator. Enter the following command to begin generating a certificate and private key: req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.
Generate an EC private key, of size 256, and output it to a file named key.pem: openssl ecparam -name prime256v1 -genkey -noout -out key.pem.
Extract the public key from the key pair, which can be used in a certificate: openssl ec -in key.pem -pubout -out public.pem read EC key writing EC key.
Create a new private key in the PKCS#1 format. openssl genrsa -des3 -out key_name .key key_strength For example: openssl genrsa -des3 -out private_key.key 2048. ...
In the console tree, navigate to the certificate you want to export. Right-click the certificate, select All Tasks, and then select Export. On the screen Welcome to the Certificate Export Wizard, select Next. To export the private key, select Yes, export the private key, then select Next.
Creating a .pem with the Private Key and Entire Trust Chain
Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order: The Private Key - your_domain_name.key. The Primary Certificate - your_domain_name.crt. The Intermediate Certificate - DigiCertCA.crt.
Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. PEM, initially invented to make e-mail secure, is now an Internet security standard.
The genrsa command is used to generate an RSA private key file. The most basic form of the genrsa command specifies the name of the output file containing the key and specifies AES256 encryption (required). Windows. Openssl> genrsa -out key-filename.pem -aes256.
Create a new private key in the PKCS#1 format. openssl genrsa -des3 -out key_name .key key_strength For example: openssl genrsa -des3 -out private_key.key 2048. ...
Introduction: My name is Lakeisha Bayer VM, I am a brainy, kind, enchanting, healthy, lovely, clean, witty person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.