GPG and X509 on Yubikey

Yubikey is a great piece of hardware with a lot of functions in a size of an usb stick. Two of the stores are a gpg, and a pki applet, which each can hold gpg keys or x509 Certificates. The PKI applet can be used for storing certificates, which then can be used for signing emails (s/mime), authentication, even encrypting. Here is a little summary how I am using my yubikey.

GPG with Yubikey

For storing gpg keys on the yubikey, I prefer a master key on a offline live distribution, saved on a usb stick. the generated subkeys from the master key are moved on the yubikey and stubs anchored on the devices. I followed the guides, which are described pretty well:

the gpg functions can now be normally used and you are promted for the pin to access the gpg keys on the yubikey. Or the GPG can be used in a email client like thunderbird with the enigma plugin to sign and encrypt emails with gpg.

For my android setup i’m using the newest version of k9 mail (5.111), which supports gpg/mime. connected to the openkeychain, it’s an unstoppable team with the yubikey neo through NFC.

S/MIME with Yubikey

There are not so many guides for using x509 with the Yubikey, so I will describe a little more in detail, how I got S/MIME working.

First you need a certificate for signing, for the best result signed by a trusted CA. My certificate is signed and trusted by

To prepare the Yubikey PIV module, where the certificates are stored, you must install the yubico piv tool.

dnf install yubico-piv-tool

Then we make it ready for the real use. You would typically change the management key to make sure nobody but you can modify the state of the PIV application on the YubiKey. Make sure to keep a copy of the key around for later use.

key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key
yubico-piv-tool -a set-mgm-key -n $key

The PIN and PUK should be changed as well.

pin=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6`
echo $pin
puk=`dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8`
echo $puk
yubico-piv-tool -a change-pin -P 123456 -N $pin
yubico-piv-tool -a change-puk -P 12345678 -N $puk

also described on the yubico developer guide for the piv module

Then import your certificate to the signing slot 9c:

yubico-piv-tool -a import-cert -a import-key -s 9c -K PKCS12 -k

Give the mgmt-key and the admin pin to import the certificates and private key

To verify it holds your certificate you can use the status command yubico-piv-tool -a status

preparing for thunderbird

to use the certifcate directly from the smartcard alias yubikey, thunderbird needs an kryptography module. This is provided by the opensc tools

dnf install opensc

Now load the Kryptography Module in the settings

Ready is your Yubikey for S/MIME with thunderbird.


The mailing applications like Thunderbird and the Android are well integrated with the Yubikey and the GPG functions. Sadly, there is currently not support for S/MIME in K9 Mail, which cuts off the ability of S/MIME via yubikey on the mobile phone.