Yubikey is a great piece of hardware with a lot of functions in a size of an usb stick. Two of the stores are a gpg, and a pki applet, which each can hold gpg keys or x509 Certificates. The PKI applet can be used for storing certificates, which then can be used for signing emails (s/mime), authentication, even encrypting. Here is a little summary how I am using my yubikey.
GPG with Yubikey
For storing gpg keys on the yubikey, I prefer a master key on a offline live distribution, saved on a usb stick. the generated subkeys from the master key are moved on the yubikey and stubs anchored on the devices. I followed the guides, which are described pretty well:
the gpg functions can now be normally used and you are promted for the pin to access the gpg keys on the yubikey. Or the GPG can be used in a email client like thunderbird with the enigma plugin to sign and encrypt emails with gpg.
S/MIME with Yubikey
There are not so many guides for using x509 with the Yubikey, so I will describe a little more in detail, how I got S/MIME working.
First you need a certificate for signing, for the best result signed by a trusted CA. My certificate is signed and trusted by swisssign.com.
To prepare the Yubikey PIV module, where the certificates are stored, you must install the yubico piv tool.
dnf install yubico-piv-tool
Then we make it ready for the real use. You would typically change the management key to make sure nobody but you can modify the state of the PIV application on the YubiKey. Make sure to keep a copy of the key around for later use.
key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -a set-mgm-key -n $key
The PIN and PUK should be changed as well.
pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6` echo $pin puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8` echo $puk yubico-piv-tool -a change-pin -P 123456 -N $pin yubico-piv-tool -a change-puk -P 12345678 -N $puk
also described on the yubico developer guide for the piv module
Then import your certificate to the signing slot
yubico-piv-tool -a import-cert -a import-key -s 9c -K PKCS12 -k
Give the mgmt-key and the admin pin to import the certificates and private key
To verify it holds your certificate you can use the status command
yubico-piv-tool -a status
preparing for thunderbird
to use the certifcate directly from the smartcard alias yubikey, thunderbird needs an kryptography module. This is provided by the opensc tools
dnf install opensc
Now load the Kryptography Module in the settings
Ready is your Yubikey for S/MIME with thunderbird.
The mailing applications like Thunderbird and the Android are well integrated with the Yubikey and the GPG functions. Sadly, there is currently not support for S/MIME in K9 Mail, which cuts off the ability of S/MIME via yubikey on the mobile phone.