Set up Yubikey for PowerShell Code Signing

As I wrote in my previous post Using a Yubikey for PowerShell CodeSigning  I’m using a Yubikey to store my code signing certificate. This way I can easily carry my cert with me, use it on different computers and not have to worry about losing my private key. In this post, I’m describing how I set up my Yubikey.

Setting up the key
The Yubikey has a small command line tool called the “piv-tool”, it’s downloadable from Yubico’s website. Once installed I use Set-Alias so I don’t have to use the path every time I use the piv-tool.

Set-Alias yubico-piv-tool "C:\yubico\yubico-piv-tool-1.5.0-win64\bin\yubico-piv-tool.exe"

Then I use the wrong PIN a few times until the PIN gets locked, this will enable me to reset the device:

$InvalidPIN = '123456' yubico-piv-tool -a verify-pin -P $InvalidPIN yubico-piv-tool -a verify-pin -P $InvalidPIN yubico-piv-tool -a verify-pin -P $InvalidPIN yubico-piv-tool -a verify-pin -P $InvalidPIN

Now I can reset the device:

yubico-piv-tool -a reset

Install the code signing certificate from a pfx-file with the command below. -s9c tells it to import the certificate to slot 9c which is the default slot for code signing. You can use any slot, but why not try to stick to the standard?

yubico-piv-tool -s9c -i SimonWahlin_CodeSign.pfx -KPKCS12 -a set-chuid -a import-key -a import-cert

Now go sign something!