This guide outlines the professional workflow for setting up an FastSSL/Sectigo/DigiCert Extended Validation (EV) or Standard Code Signing (CS) certificate on a YubiKey 5 FIPS Firmware V5.4.3+ using ECCP384 or with Firmware V5.7+ using RSA4096. We have been told its only possible to Code Sign using RSA4096 on an approved SafeNet device, like the “Thales eIDAS USB token Gemalto SafeNet eToken 5110 CC (940)” but it turns out you can do it on the YubiKey and it can even be ECCP384 instead of RSA4096. With a significant lack of instructions online, we have now published this how to guide for anyone else hoping to do the same. This method ensures compliance with CA/Browser Forum requirements that private keys remain on FIPS-validated hardware.
20th Feb 2026
Professional Guide: Code Signing with YubiKey 5 FIPS (ECCP384) HSM
This guide outlines the professional workflow for setting up an Extended Validation (EV) or Standard Code Signing (CS) certificate on a YubiKey 5 FIPS Firmware V5.4.3+ using ECCP384 specifically to ensure backwards compatibility with all recent YubiKey 5 FIPS HSM but note that if your device is Firmware V5.7+ it should support both ECCP384 and RSA4096.
1. Prerequisites
Ensure the following tools are installed on your Windows environment:
- Ideally make sure your YubiKey Manager (graphic interface) has no certificates listed in Slots 9a/9c/9d/9e inside the Applications/PIV/Certificates section – if so delete them if safe to do so as this often causes issues later.
- YubiKey Manager (CLI): Required for PIV and Attestation commands. YubiKey PIV Tool (command line) download. – Get the 64-bit download.
- YubiKey Smart Card Minidriver: Essential for Windows to recognize the YubiKey as a Cryptographic Service Provider (KSP). YubiKey Minidiver Page – Get the x64 installer for Minidriver.
- Windows SDK: Required for access to
signtool.exe. – Download: Official Windows SDK Download Page – winsdksetup.exe – Only install “Windows SDK Signing Tools for Desktop Apps” and untick everything else. - Note most of the time we used Admin CMD to perform these commands but they also do worth in PowerShell.
IMPORTANT: If the YubiKey FLASHES AFTER you enter a PIN, you must physically touch the gold contact to authorize the operation. If a command fails unexpectedly, try unplugging and re-inserting the token after 10 seconds as sometimes after a specific command it needs a reconnect to work properly – remember this for later!
2. Generate the Key and CSR
For code signing, Slot 9a (Authentication) is the ONLY slot this will work in. Slot 9a allows for PIN Caching, meaning you only enter your PIN once per session rather than for every single file—a necessity for batch signing. We tried with 9c and it didn’t work due to no PIN Caching.
Step A: Generate the Private Key
Generate the private key directly on the device and export the public counterpart.
PowerShell/CMD – If you want to replace the “ECCP384” with “RSA4096”, you can do this below if using YubiKey 5 FIPS v5.7+
ykman piv keys generate --algorithm ECCP384 --pin-policy ONCE --touch-policy ALWAYS 9a public.pem
TIP: If ‘ykman’ is not in your local folder you can replace it with this, just make sure you keep the inverted commas ” ” around the path and .exe:
"C:\Program Files\Yubico\YubiKey Manager\ykman.exe" piv keys etc... etc..Step B: Generate the Certificate Signing Request (CSR)
When creating the CSR, do not use spaces after commas in the subject string, as this can cause validation errors with some CAs.
PowerShell/CMD
# Replace with your actual company details that should be a match you your actual matching details with your certificate provider.
# Note country code for UK is GB and USA is US. Incorrect will cause an error.
ykman piv certificates request --subject "CN=YourCompany,O=YourCompany,L=City,ST=State,C=CountryCode" 9a public.pem csr.csr
Step C: Copy the Certificate Signing Request (CSR) Contents to CRT Generate Website
Open the csr.csr file with a text editor and copy the contents into the website (certificate issue/reissue) to generate the final certificate.
You will need to approve this via two email request forms and then you will get a download link.
Make sure you download all of the FIPS 140-2 Level 2 or Common Criteria EAL4+ and all Bundles of CRT, CER, PEM files for safe keeping.
Just make sure you get the 3 main ones which are ‘Company Certificate’, then the ‘Intermediate certificate’ as per this example grab the ‘GoGetSSL G4 RSA4096 SHA256 2022 CA-1’ (which is ECCP384 compatible anyway) and the ‘root certificate’ which is the ‘DigiCert Trusted Root G4’ certificate in this case. Aim to get the CRT, CER and PEM versions. You will be using the .crt version shortly.
I say make sure you have saved them all because some providers don’t allow you to download them again and its best to keep all of them.
3. (Optional) Generate FIPS Attestation – Likely not needed if the Above worked
Only some providers require proof that the key was generated on FIPS-validated hardware. This requires a “bundle” of two files.
- Generate Attestation for Slot 9a:
ykman piv keys attest 9a attestation.crt - Export the YubiKey Intermediate:
ykman piv certificates export f9 intermediate.crt
Note: When enrolling, you may need to paste both files into a single text box. Paste the Attestation content first, followed immediately by the Intermediate content, including all -----BEGIN/END----- headers.
4. Install the Issued Certificate
Once the CA issues your .crt file, import it back to the YubiKey:
PowerShell/CMD
ykman piv certificates import 9a issued_cert.crt
Refining the Windows Store:
- Open
certmgr.mscand remove any old/related certificates in Personal > Certificates. - Eject the YubiKey, wait 10 seconds, and re-insert it. This forces the Minidriver to repopulate the certificate store correctly.
- Any issues – try
5. Signing Code with Signtool
To sign, you need your certificate’s SHA1 Thumbprint. Locate this by running certutil -user -store My.
certutil -user -store MyNote that even if that comes back with ‘Private key is NOT exportable’ – you will see a line that looks like:
Cert Hash(sha1): e1a92d84c7b530f261ad809e36782a16fec6507b
Copy that hash as that is your Thumbprint. (Please note the above is a random example – use your own)
The Signing Command
For ECC certificates on FIPS hardware, providing the timestamp and digest algorithm is critical to avoid “SignerSign() failed” errors.
PowerShell/CMD – Make sure you insert your ‘Thumbprint’ from above with no [ ] either side.
signtool.exe sign /sha1 [THUMBPRINT] /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "C:\path\to\your\app.exe"
IMPORTANT: Ensure you touch the YubiKey immediately after entering your PIN when prompted!
6. Troubleshooting Common Errors
| Error Code | Meaning | Solution |
| 0x8010006a | Security Violation | Physically touch the YubiKey sensor after entering the PIN. |
| 0x80090016 | Keyset does not exist | Verify the certificate is visible in certmgr. Try re-inserting the token. |
| Invalid CSR | PEM Boundary Error | Ensure you are pasting the -----BEGIN CERTIFICATE REQUEST----- block, not the Attestation file. |
Best Practices & Alternatives
- Timestamping: Always use the
/trflag. This ensures the signature remains valid even after the certificate itself expires. - Remote Desktop (RDP): You cannot sign code over a standard RDP session due to smart card redirection security; you must be physically present at the machine.
- Azure Trusted Signing: For a cloud-based alternative, Azure offers a managed service for ~$10/month. However, it requires a 3-year verifiable business history and a more complex initial setup.
Verifying the Signature – This is really Important!!
To ensure the signature is applied correctly, right-click your .exe > Properties > Digital Signatures. Select the signer and click Details. It should state: “This digital signature is OK.”
If it does not specifically say this – then there is a problem and even if you think its working, it will never be authorised by Microsoft as secure.
Alternatively, use the CLI:
PowerShell/CMD
signtool verify /pa /v your_application.exe
Establish SmartScreen Reputation
If your app is flagged by Microsoft Defender SmartScreen, submit your signed file to the Microsoft Security Intelligence portal. Select Software Developer and request a reputation review. This usually resolves “Unknown Publisher” warnings within 48 hours.
