{"id":3670,"date":"2023-07-13T21:12:59","date_gmt":"2023-07-13T21:12:59","guid":{"rendered":"https:\/\/www.thesslstore.com\/knowledgebase\/?post_type=ht_kb&#038;p=3670"},"modified":"2026-06-19T15:42:47","modified_gmt":"2026-06-19T15:42:47","slug":"yubikey-5-fips-csr-and-attestation","status":"publish","type":"ht_kb","link":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/","title":{"rendered":"Sectigo &#8211; YubiKey 5 FIPS Series CSR and Attestation"},"content":{"rendered":"\r\n\r\n\r\n<p>This guide includes instructions for completing your code signing order using the <strong>Install on Existing HSM<\/strong> method, specifically for the <strong>YubiKey 5 FIPS Series<\/strong>. The instructions provided are for Windows only, other operating systems should refer back to <a href=\"https:\/\/www.yubico.com\/products\/yubikey-fips\/\" target=\"_blank\" rel=\"noopener\">Yubico<\/a> for more information.<\/p>\r\n<p>This guide also assumes you already own your YubiKey HSM device and are familiar with the <br \/>associated software. You must own this hardware prior to placing your code signing order. If you <br \/>are less familiar with hardware security modules, you may wish to instead order a pre-configured <br \/>certificate token (Token + Shipping method).<\/p>\r\n<p>The instructions below are provided by Sectigo CA. Please refer back to the specific <br \/>manufacturer of your hardware security module (HSM) for further instructions, as we cannot provide support for third-party hardware.<\/p>\r\n<p dir=\"ltr\"><strong>June 19, 2026<\/strong>\u00a0&#8211; Although YubiCo has moved on to YubiCo Authenticator, Sectigo advises that YubiKey Manager is still available for generating CSR and attestation and managing keys. Direct downloads:<\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/developers.yubico.com\/yubikey-manager-qt\/Releases\/yubikey-manager-qt-latest-win64.exe\" target=\"_blank\" rel=\"noopener noreferrer\">YubiKey Manager\u00a0<\/a><\/li>\r\n<li><a href=\"https:\/\/downloads.yubico.com\/support\/YubiKey-Minidriver-4.6.3.252-x64.msi\" target=\"_blank\" rel=\"noopener noreferrer\">YubiKey Smart Card Minidriver &#8211; Windows for 64-bit systems download<\/a><\/li>\r\n<\/ul>\r\n<h1>YubiKey HSM Attestation Package<\/h1>\r\n<p>YubiKey 5 FIPS Series USB tokens can generate attestation certificates. An attestation certificate will have the same key as the CSR and is signed by the intermediate certificate (this certificate can be downloaded from the HSM). The intermediate certificate in turn is signed by the YubiKey private root certificate.<\/p>\r\n<p><br \/>Note: Please refer to <a href=\"https:\/\/docs.yubico.com\/hardware\/yubikey\/yk-fips\/tech-manual\/fips5-piv.html\" target=\"_blank\" rel=\"noopener\">PIV: FIPS 140-2 with YubiKey 5 FIPS Series \u2014 YubiKey 5 FIPS Series Technical Manual documentation (yubico.com)<\/a> for more technical documentation on YubiKey 5 FIPS Series.<\/p>\r\n<h2>Attestation Package Format<\/h2>\r\n<p>This service expects a Base64-encoded PEM certificate chain containing two certificates:<\/p>\r\n<ol>\r\n<li>Attestation certificate that matches given CSR.<\/li>\r\n<li>Intermediate certificate.<\/li>\r\n<\/ol>\r\n<h2>Generate CSR<\/h2>\r\n<p>To generate a CSR and attestation certificate for the CSR and get an intermediate attestation certificate from the device:<br \/>Note: These instructions are for Windows. If you have a different operating system, see YubiCo for instructions.<\/p>\r\n<p>1. Plugin your YubiKey 5 FIPS HSM and launch <strong><a href=\"https:\/\/www.yubico.com\/support\/download\/yubikey-manager\/\" target=\"_blank\" rel=\"noopener\">YubiKey Manager<\/a><\/strong>. Your YubiKey 5 FIPS device should be displayed in the Manager window.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3765 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png\" alt=\"\" width=\"753\" height=\"532\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png 753w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager-300x212.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager-50x35.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager-60x42.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager-35x25.png 35w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/p>\r\n<p>2. Navigate to <strong>Applications &gt; PIV<\/strong> and click Configure <strong>Certificates<\/strong>.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3766 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV.png\" alt=\"\" width=\"473\" height=\"300\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV.png 473w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV-300x190.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV-50x32.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV-60x38.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.1-Applications-PIV-35x22.png 35w\" sizes=\"auto, (max-width: 473px) 100vw, 473px\" \/><\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3767 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates.png\" alt=\"\" width=\"675\" height=\"235\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates.png 675w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates-300x104.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates-50x17.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates-60x21.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/2.2-configure-certificates-35x12.png 35w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/p>\r\n<p>3. Select Authentication (Slot 9a) (for EV code signing certificates) and click <strong>Generate<\/strong>.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3768 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication.png\" alt=\"\" width=\"804\" height=\"312\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication.png 804w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication-300x116.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication-768x298.png 768w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication-50x19.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication-60x23.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3-Authentication-35x14.png 35w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3769 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate.png\" alt=\"\" width=\"353\" height=\"227\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate.png 353w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate-300x193.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate-50x32.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate-60x39.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/3.2-generate-35x23.png 35w\" sizes=\"auto, (max-width: 353px) 100vw, 353px\" \/><\/p>\r\n<p>4. Select <strong>Certificate Signing Request (CSR)<\/strong> and click <strong>Next<\/strong>.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3770 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR.png\" alt=\"\" width=\"755\" height=\"429\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR.png 755w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR-300x170.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR-50x28.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR-60x34.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/4-CSR-35x20.png 35w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/p>\r\n<p>5. Select an algorithm from the drop-down menu and click <strong>Next<\/strong>.<br \/>Note: Select <strong>ECCP256<\/strong> or <strong>ECCP384<\/strong> for EV Code Signing Certificates as YubiKey supports only ECC algorithms for EV Code Signing. Please do not select RSA2048.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3771 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm.png\" alt=\"\" width=\"600\" height=\"311\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm.png 600w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm-300x156.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm-50x26.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm-60x31.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/5-algorithm-35x18.png 35w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\r\n<p>6. Enter a <strong>Subject Name<\/strong> for the certificate and click <strong>Next<\/strong>. In the example below the subject <br \/>name is set as Sectigo, but please make sure to use the name of your own organization here.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3772 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name.png\" alt=\"\" width=\"728\" height=\"348\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name.png 728w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name-300x143.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name-50x24.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name-60x29.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/6-subject-name-35x17.png 35w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/p>\r\n<p>7. Confirm the details shown and click Generate.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3773 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate.png\" alt=\"\" width=\"711\" height=\"352\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate.png 711w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate-300x149.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate-50x25.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate-60x30.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/7-generate-35x17.png 35w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/p>\r\n<p>8. Select a directory and enter a recognizable file name to save the CSR so you may locate it <br \/>later.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3774 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file.png\" alt=\"\" width=\"920\" height=\"525\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file.png 920w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file-300x171.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file-768x438.png 768w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file-50x29.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file-60x34.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/8-save-file-35x20.png 35w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/p>\r\n<p>9. Enter your YubiKey&#8217;s management key OR click &#8220;Use default&#8221; and click OK. <br \/><code>Default Key: 010203040506070801020304050607080102030405060708<\/code><\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3775 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key.png\" alt=\"\" width=\"575\" height=\"186\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key.png 575w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key-300x97.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key-50x16.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key-60x19.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/9-mgmt-key-35x11.png 35w\" sizes=\"auto, (max-width: 575px) 100vw, 575px\" \/><\/p>\r\n<p>10. Enter your YubiKey PIN and click OK.<br \/><code>Default PIN: 123456<\/code><\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3776 size-full\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin.png\" alt=\"\" width=\"576\" height=\"179\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin.png 576w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin-300x93.png 300w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin-50x16.png 50w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin-60x19.png 60w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/10-pin-35x11.png 35w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/p>\r\n<h2>Generate Attestation<\/h2>\r\n<p>You will use a command line interface such as Windows PowerShell or MacOS Terminal to generate the attestation file.\u00a0<\/p>\r\n<p>1. Change the directory to the YubiKey directory.<\/p>\r\n<p>Windows<\/p>\r\n<p><code>cd 'C:\\Program Files\\Yubico\\YubiKey Manager\\'<\/code><\/p>\r\n<p>MacOS<\/p>\r\n<p><code>cd\/Applications\/Yubikey\/Manager.app\/Contents\/MacOS<\/code><\/p>\r\n<p>Linux (Ubuntu), the ykman command should already be installed in your PATH, so there is no need to perform this step.<\/p>\r\n<p>3. Execute the following command to create the attestation certificate.<\/p>\r\n<p>Keep in mind:<\/p>\r\n<ul>\r\n<li>Replace &#8220;ATTESTATION-FILENAME.crt&#8221; with the full directory path and filename you want to use. For example, &#8220;C:\\Documents\\attestation.crt&#8221;<\/li>\r\n<li>If you used slot 9c, put 9c instead of 9a<\/li>\r\n<\/ul>\r\n<p>Windows:<\/p>\r\n<p><code>.\\ykman.exe piv keys attest 9a ATTESTATION-FILENAME.crt<\/code><\/p>\r\n<p>MacOS:<\/p>\r\n<p><code>\/ykman piv keys attest 9a ATTESTATION-FILENAME.crt<\/code><\/p>\r\n<p>Linux (Ubuntu):<\/p>\r\n<p><code>ykman piv keys attest 9a ATTESTATION-FILENAME.crt<\/code><\/p>\r\n<p>4. Next, use the ykman command to export the intermediate certificate from slot f9 of the YubiKey (again, replace INTERMEDIATE-FILENAME.crt with the full directory path and filename you want to use):<\/p>\r\n<p>Windows:<\/p>\r\n<p><code>.\\ykman.exe piv certificates export f9 INTERMEDIATE-FILENAME.crt<\/code><\/p>\r\n<p>MacOS:<\/p>\r\n<p><code>.\/ykman piv certificates export f9 INTERMEDIATE-FILENAME.crt<\/code><\/p>\r\n<p>Linux (Ubuntu):<\/p>\r\n<p><code>ykman piv certificates export f9 INTERMEDIATE-FILENAME.crt<\/code><\/p>\r\n<p>5. Merge the attestation and intermediate files into one using a text editor such as Notepad. You can open the .crt files in a text editor and copy\/paste the full text. The attestation CSR should be first, followed by the intermediate.<\/p>\r\n<p><a href=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3917\" src=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text.png\" alt=\"\" width=\"563\" height=\"700\" srcset=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text.png 563w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text-241x300.png 241w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text-40x50.png 40w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text-48x60.png 48w, https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/07\/attest_int_text-28x35.png 28w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/a><\/p>\r\n<p>Save this text file and upload on your certificate order form to complete enrollment.<\/p>\r\n<h2>Possible Errors<\/h2>\r\n<p><strong>ErroCode:-129 &lt;br\/&gt;ErrorMessage:service response: invalid attestation chain: expecting 2 certificates but got 1.<\/strong><\/p>\r\n<p>This error can occur if your attestation bundle does not include the intermediate file. Make sure your attestation bundle includes the attestation certificate followed by the intermediate certificate, in that order.<\/p>\r\n<p><strong>ErroCode:-129 &lt;br\/&gt;ErrorMessage:service response: failed to verify that csr public key matches public key in the attestation certificate.<\/strong><\/p>\r\n<p>This error can occur if the attestation certificate does not match the CSR submitted on the order form. You may have submitted a different CSR file than the one that generated the attestation. In this case, you may need to start over from the CSR generation step and create a new attestation package.<\/p>\r\n<p>This error can also occur if the Intermediate certificate file is ordered first in the attestation bundle, or if the bundle contains only the Intermediate with no attestation certificate. Make sure your bundle includes the attestation certificate followed by the intermediate certificate as in the example above.<\/p>\r\n<p><strong>ErroCode:-129 &lt;br\/&gt;ErrorMessage:service response: failed to parse attestation as a valid pem certificate chain.<\/strong><\/p>\r\n<p>This error can occur if the correct attestation certificate is not included in the bundle file. Please make sure you do not use the CSR file generated in YubiKey manager in place of the attestation certificate. You must generate the attestation certificate in your command line interface.<\/p>\r\n<p><strong>ErroCode-129 &lt;br\/&gt;ErrorMessage service response failed to confirm that device is fips certified<\/strong><\/p>\r\n<p>This error means your YubiKey HSM device is not FIPS-compliant and cannot be used for code signing. You need a device from the YubiKey 5 FIPS series to install code signing certificates. If your device does not include FIPS in the model name, it will not work. You can confirm the model name of your YubiKey device on the home page of YubiKey manager.<\/p>\r\n<p><a href=\"https:\/\/www.yubico.com\/products\/yubikey-fips\/\">Find YubiKey 5 FIPS compliant devices on YubiKey&#8217;s website.<\/a><\/p>\r\n<p>&nbsp;<\/p>\r\n<p>&nbsp;<\/p>\r\n<p>&nbsp;<\/p>\r\n<p>&nbsp;<\/p>\r\n<p>&nbsp;<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>This guide includes instructions for completing your code signing order using the Install on Existing HSM method, specifically for the YubiKey 5 FIPS Series. The instructions provided are for Windows only, other operating systems should refer back to Yubico for more information. This guide also assumes you already own your&#8230;<\/p>\n","protected":false},"author":1,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"ht-kb-category":[82,86],"ht-kb-tag":[],"class_list":["post-3670","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-code-signing-hardware","ht_kb_category-hsm-csr-and-attestation"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Sectigo - YubiKey 5 FIPS Series CSR and Attestation - Knowledge Base<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sectigo - YubiKey 5 FIPS Series CSR and Attestation - Knowledge Base\" \/>\n<meta property=\"og:description\" content=\"This guide includes instructions for completing your code signing order using the Install on Existing HSM method, specifically for the YubiKey 5 FIPS Series. The instructions provided are for Windows only, other operating systems should refer back to Yubico for more information. This guide also assumes you already own your...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/\" \/>\n<meta property=\"og:site_name\" content=\"Knowledge Base\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/thesslstoredotcom\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-19T15:42:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png\" \/>\n\t<meta property=\"og:image:width\" content=\"753\" \/>\n\t<meta property=\"og:image:height\" content=\"532\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@thesslstore\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sectigo - YubiKey 5 FIPS Series CSR and Attestation - Knowledge Base","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/","og_locale":"en_US","og_type":"article","og_title":"Sectigo - YubiKey 5 FIPS Series CSR and Attestation - Knowledge Base","og_description":"This guide includes instructions for completing your code signing order using the Install on Existing HSM method, specifically for the YubiKey 5 FIPS Series. The instructions provided are for Windows only, other operating systems should refer back to Yubico for more information. This guide also assumes you already own your...","og_url":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/","og_site_name":"Knowledge Base","article_publisher":"https:\/\/www.facebook.com\/thesslstoredotcom","article_modified_time":"2026-06-19T15:42:47+00:00","og_image":[{"width":753,"height":532,"url":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@thesslstore","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/","url":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/","name":"Sectigo - YubiKey 5 FIPS Series CSR and Attestation - Knowledge Base","isPartOf":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/#primaryimage"},"image":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png","datePublished":"2023-07-13T21:12:59+00:00","dateModified":"2026-06-19T15:42:47+00:00","breadcrumb":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/#primaryimage","url":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png","contentUrl":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2023\/09\/1-YubiKey-Manager.png","width":753,"height":532},{"@type":"BreadcrumbList","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/code-signing-hardware\/yubikey-5-fips-csr-and-attestation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.thesslstore.com\/knowledgebase\/"},{"@type":"ListItem","position":2,"name":"Sectigo &#8211; YubiKey 5 FIPS Series CSR and Attestation"}]},{"@type":"WebSite","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#website","url":"https:\/\/www.thesslstore.com\/knowledgebase\/","name":"Knowledge Base","description":"TheSSLstore","publisher":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.thesslstore.com\/knowledgebase\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#organization","name":"The SSL Store\u2122","url":"https:\/\/www.thesslstore.com\/knowledgebase\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#\/schema\/logo\/image\/","url":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2017\/04\/thesslstore.jpg","contentUrl":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-content\/uploads\/2017\/04\/thesslstore.jpg","width":300,"height":300,"caption":"The SSL Store\u2122"},"image":{"@id":"https:\/\/www.thesslstore.com\/knowledgebase\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/thesslstoredotcom","https:\/\/x.com\/thesslstore","https:\/\/www.linkedin.com\/company\/the-ssl-store","https:\/\/www.youtube.com\/user\/thesslstore"]}]}},"_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb\/3670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/comments?post=3670"}],"version-history":[{"count":1,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb\/3670\/revisions"}],"predecessor-version":[{"id":4329,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb\/3670\/revisions\/4329"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/media?parent=3670"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb-category?post=3670"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/knowledgebase\/wp-json\/wp\/v2\/ht-kb-tag?post=3670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}