Elektronically sign software

If you want to use a digital ID (certificate) to electronically sign self-developed software (Microsoft Office macros, Java JARs), then you need a Yubikey 5 FIPS (can be borrowed from the UCAM) and a special code signing certificate.

For such a code signing certificate please contact ca@uni-muenster.de by signed email. You will then receive further information by email.

Since the code signing certificate is not issued to an individual or group, but to the university or arts academy as a whole, only employees with financial responsibility may request code signing certificates.

Request after prior invitation

Choose good PIN (6–8 digits), PUK (8 digits) und management key (48 hexdigits)!

Complete reset of (only) the PIV module in the Yubikey 5 FIPS:
ykman piv reset --force
ykman piv change-pin -P 123456
ykman piv change-puk -p 12345678
ykman piv change-management-key -m 010203040506070801020304050607080102030405060708

Generate CSR:
yubico-piv-tool -a generate --slot=9c --pin-policy=once -k -A ECCP384 -o pub.key
ykman piv certificates request -s "CN=UCAM" 9c pub.key req.csr

Compose attestation:
yubico-piv-tool --action=attest --slot=9c >attest.pem
yubico-piv-tool --action=read-certificate --slot=f9 >chain.pem

Under Linux/MacOS:
cat attest.pem chain.pem | base64 -w64 - >attest.txt

Under Windows:
type attest.pem chain.pem >work.pem
certutil -encode work.pem work.txt
findstr /v CERTIFICATE work.txt >attest.txt

The request on the invitation page requires req.csr and the content of attest.txt. The e-mail address specified on the page is included in the certificate, the name is not.

When the email arrives after hours or days, download the certificate with the link “as Certificate only, PEM encoded”, save it as cert.pem and import it:
ykman piv certificates import 9c cert.pem

Brief instructions for use

  • Windows Code Signing see Yubico guide

  • Java Code Signing with jarsigner:

    • Install the Yubico PKCS#11-Library „ykcs11“

    • Download the certificate from the e-mail with the link „as Certificate (w/ issuer after)“ and save it as certchain.pem

    • Create file ykcs11.conf with:
      name = ykcs11
      library = /path/to/libykcs11.so

    • Sign xxxxx.jar with (all in one line):
      jarsigner -keystore NONE -certchain certchain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ykcs11.conf xxxxx.jar "X.509 Certificate for Digital Signature"