Signing Code with Your YubiKey NEO

This article applies to:

This guide will show you how to set up your YubiKey NEO (or YubiKey NEO-n) to hold your signing certificate so you can sign your code. Also included are instructions on how to sign a Windows executable.


You will need the following:
  • Your signing certificate
  • The PIV tool (command line interface) or the PIV Manager (graphical interface); the instructions in this guide use the command line interface (both are available from our knowledge base downloads Note: These instructions are not compatible with the YubiKey Smart Card Minidriver
  • A Windows executable (if you will be signing another file, change the instructions to suit your requirements)

Setting Up Your YubiKey NEO or NEO-n

  1. Install the PIV tool, if you have not already done so.
  2. Insert your YubiKey NEO or YubiKey NEO-n. The following examples use a YubiKey NEO.
  3. At the command line, type the following command:
    yubico-piv-tool -s 9c -i signcert.pfx -K PKCS12 -p 123456 -a set-chuid -a import-key -a import-cert
    There are three actions that will be performed. First, the command creates a new random CardHolder Unique Identifier (chuid), then it uses the PFX file to import both the private key and the certificate. All this information will be stored in slot 9c on the YubiKey, which in the PIV language means digital signature. (For more information on the digital certificate slot on the YubiKey NEO, see Certificate Slots.) The -p parameter is used to provide the tool with the Export/Import passphrase.
  4. Once you’ve successfully imported the information onto the YubiKey, Windows automatically recognizes the certificates inside and saves them in your certificate store. To verify this, run the certificate manager (certmgr.exe) and look into the Personal certificate store of the current user.If you now try to sign an executable (see the following instructions), Windows recognizes that your information is stored on a smart card device and you are prompted to connect the device (in this case, your YubiKey) and to provide the correct PIN.
  5. Once you’re done, unplug your YubiKey and your private key is now safely stored away from your system.

Signing Your Windows executable

Now, we're almost there. In order to perform the actual signing, you will use the Windows Sign Tool that is installed as part of your Windows SDK installation. The SignTool is installed, by default, in the \Bin folder where you installed the Windows SDK. For example, on a Windows 10 system, it would be installed in c:\program Files(x86)\Windows Kits\10\bin\[build]. Use it from there, or add it to your PATH variable and use it from another location. In order to sign your application, execute the following command:
signtool sign /t superawesome.exe
The  optional parameter /t allows you to use an RFC3161-compliant timestamp server. This is used to securely stamp your digital signature with a time and a date. Finally, if you check the properties of superawesome.exe you will see that the Digital Signatures tab has been added, with all the related information.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.