Reputation: 11
Two PIV certificates - one YubiKey 5
I'm trying to import two PIV certificates to be used on one Yubico Key 5 (slot 9a). One certificate for regular use and another for elevated privileges. For the life of me, I can't figure it out!
I've tried using the GUI YubiKey Manager > PIV > configure certificates > Import
all this does is overwrite the existing certificate with the one that is being imported to the key
I've tried figuring out what command line to use with the following pdf: https://www.yubico.com/wp-content/uploads/2016/05/Yubico_PIV_Tool_Command_Line_Guide_en.pdf
At this point, I'm just banging my skull against the wall and not seeing how to solve this. Does anyone have any ideas or insights on this?
Upvotes: 1
Views: 1762
Answers (3)
Reputation: 11
Technically the slot numbers refer to key slots where the private key is stored. Tools typically allow you to import certificates 'to' slot 9a when they really mean 'for' slot 9a. Certificates are stored separately from keys in PIV, and there is a well known mapping from key slot to certificate slot. For example, the certificate for slot 9a i stored in a certificate slot named 0x5fc105. Each such certificate slot can only store one certificate according to the PIV standard (which specifies the format of the data in the certificate slot), but there are 24 key key slots (with corresponding certificate slots) on a YubiKey. Depending on tooling you may be able to use other slots for your alternate key and certificate. Since certificates are public information they could also be stored somewhere else than on the YubiKey entirely, as long as you can convince your tools to use them that way. If your goal is to store two separate certificates for one key your best bet would be to import the same private key to two separate key slots, and store your two different certificates in their respective certificate slots. That won't work for onboard generated keys since you can't copy or extract those.
Upvotes: 0
Reputation: 1
This is unfortunate because Gemalto smartcards allow multiple certificates to be loaded on a single card. The inability to load multiple certs in slot 9a will require using two different Yubikeys for two different certs
Upvotes: 0
Reputation: 11
It's not possible to store more that one certificate in one slot. There are different slots for different purpose. See this page for details: https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
So, I think, this is not possible what you planed to do.
Upvotes: 1
Related Questions
- How to import 2 different certificates with maven
- How to Configure Yubikey 5 for Wondows Hello login
- Connect Yubikey key to GitHub
- What are the Object Attributes needed to generate KeyPairs from YubiKey with PKCS11?
- Chaining two certs with the same subject
- How does "Security Key by Yubico" identify each key?
- PIV Certificate issue with VSCODE
- Multiple certificates for Issuer ITfoxtec.Identity.Saml2
- Signing a Certificate Signing Request using a CA stored on a Yubikey
- GPG key signing party w. detached master key and sub-keys on yubikey