Set up Yubikey for PowerShell Code Signing

2018-03-30

Page content

Intro

As I wrote in my previous post Using a Yubikey for PowerShell CodeSigning I’m using a Yubikey to store my code signing certificate. This way I can easily carry my cert with me, use it on different computers and not have to worry about losing my private key. In this post, I’m describing how I set up my Yubikey.

Setting up the key

The Yubikey has a small command line tool called the “piv-tool”, it’s downloadable from Yubico’s website. Once installed I use Set-Alias so I don’t have to use the path every time I use the piv-tool.

Then I use the wrong PIN a few times until the PIN gets locked, this will enable me to reset the device:

Now I can reset the device:

Install the code signing certificate from a pfx-file with the command below. -s9c tells it to import the certificate to slot 9c which is the default slot for code signing. You can use any slot, but why not try to stick to the standard?

Now go sign something!