Use YubiKeys with EJBCA

The recommended way of authenticating with EJBCA is by using a hard token. You can use a YubiKey as hard token instead of storing the certificate directly in the browser. This is more secure since the private key never leaves the token, thus key generation and signing is done on the token itself.

This guide describes how to get started with your YubiKey on Ubuntu using Mozilla Firefox as web browser.

  1. Add a new administrator to EJBCA with the following details:

    1. Math with: X509:CN, Common name

    2. CA: <Your Management CA>

    3. Match value: YubiKey Demo

  2. Begin by installing YubiKey PIV Manager:

    sudo add-apt-repository ppa:yubico/stable
    sudo apt-get update
    sudo apt-get install pubikey-piv-manager
  3. Insert your token into your computer and start YubiKey PIV Manager. If you are using the default PIN, YubiKey PIV Manager requests you to change it.

  4. Click Certificate.

  5. Click Generate new key... and make the following changes:

    1. Choose Certificate Signing Request (CSR) as Output

    2. Enter YubiKey Demo as Subject

  6. Click OK and save the CSR

  7. Create a certificate from the CSR using EJBCA. For more information, see EJBCA User Guide. The certificate should be downloaded as a DER-file (binary).

  8. Import the certificate to the token by clicking Import from file...

  9. Eject and insert the token again to reload the token

  10. Install OpenSC PKCS11 driver:

    sudo apt-get install opensc
  11. Open Firefox and type about:preferences in the address bar

  12. Click Privacy and Security > Security devices and click Load to load a new PKCS11 driver-

  13. Enter the following information:

    1. Module name: OpenSC

    2. Module filename: /usr/lib/x86_64-linux-gnu/

  14. Click OK and restart Firefox

  15. Go to https:// <domain name> :8443/ejbca/adminweb. Unlock the token if required, using the PIN code set in step 3.

  16. Choose the certificate YubiKey Demo and click OK to access EJBCA.


YubiKey PIV Manager: