Generating keys using OpenSSL – yubico.com

There are two ways of getting private keys into a YubiKey: You can either generate the keys directly on the YubiKey, or generate them outside of the device, and then importing them into the YubiKey. Reasons for importing keys include wanting to make a backup of a private key (generated keys are non-exportable, for security reasons), or if the private key is provided by an external source. This document will guide you through using the OpenSSL command line tool to generate a key pair which you can then import into a YubiKey. Two different types of keys are supported: RSA and EC (elliptic curve).

NOTE
When generating a key pair on a PC, you must take care not to expose the private key. Ensure that you only do so on a system you consider to be secure.

Generating a private RSA key

  1. Generate an RSA private key, of size 2048, and output it to a file named key.pem:
  2. Extract the public key from the key pair, which can be used in a certificate:

Generating a private EC key

  1. Generate an EC private key, of size 256, and output it to a file named key.pem:
  2. Extract the public key from the key pair, which can be used in a certificate:

After running these two commands you end up with two files: key.pem and public.pem. These files are referenced in various other guides on this page when dealing with key import.

Source: Generating keys using OpenSSL by yubico.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.