Skip to content

PKI Annual Maintenance#

Overview#

This guide provides step-by-step procedures for managing your XCA-based PKI with YubiKey Nano 5C hardware security modules. Your setup includes a YubiKey-based CA and TLS certificates that require periodic renewal.

Prerequisites#

Software Requirements#

  • XCA (X Certificate and key management) - latest version
  • YubiKey Manager (ykman) for YubiKey operations
  • yubico-piv-tool for PIV certificate management
  • PKCS#11 libraries for hardware token integration

Hardware Requirements#

  • YubiKey Nano 5C with PIV application configured
  • CA private key stored in YubiKey PIV slot (typically 9a or 9c)

NixOS Installation#

nix-shell -p xca yubikey-manager yubico-piv-tool opensc

Annual Renewal Workflow#

Phase 1: Pre-Renewal Assessment (30 days before expiration)#

1.1 Check Certificate Status#

# Check YubiKey status
ykman piv info

# List certificates in PIV slots
ykman piv certificates list

# Check specific certificate details
ykman piv certificates export 9a - | openssl x509 -text -noout

1.2 XCA Database Health Check#

  1. Open XCA database and verify all certificates are visible
  2. Check certificate expiration dates in the Certificates tab
  3. Verify private key availability for CA operations
  4. Test PKCS#11 connectivity to YubiKey[1]

1.3 Backup Current State#

# Create backup directory
mkdir -p ~/pki-backup-$(date +%Y%m%d)

# Export current certificates from YubiKey
ykman piv certificates export 9a ~/pki-backup-$(date +%Y%m%d)/ca-cert.pem
ykman piv certificates export 9c ~/pki-backup-$(date +%Y%m%d)/signing-cert.pem

# Backup XCA database
cp /path/to/your/database.xdb ~/pki-backup-$(date +%Y%m%d)/

Phase 2: CA Certificate Renewal (Only if CA expires within 12 months)#

2.1 Renew CA Certificate with Existing Key#

Important: Since your CA expires in 9 months, you can defer this until month 6-3 before expiration[2].

  1. Right-click CA certificate in XCA Certificates tab
  2. Select “Renew Certificate” from context menu[1]
  3. Configure renewal parameters: - Keep the same private key (recommended for continuity) - Set new validity period (typically 5-10 years for CA) - Verify all extensions remain intact
  4. Click OK to generate renewed CA certificate

2.2 Update YubiKey with Renewed CA#

# Export renewed CA certificate from XCA
# File → Export → Certificate → PEM format

# Import renewed certificate to YubiKey
yubico-piv-tool -s 9a -a import-certificate -i renewed-ca-cert.pem

Phase 3: TLS Certificate Renewal (Immediate Priority)#

3.1 Generate New TLS Certificate Request#

  1. In XCA, go to Certificate signing requests tab
  2. Click “New Request”
  3. Configure request parameters: - Subject: Update Common Name and other fields as needed - Extensions: Include Subject Alternative Names (SANs) for all domain names - Key: Generate new key pair or reuse existing[3]

3.2 Sign TLS Certificate with CA#

  1. Right-click the certificate request
  2. Select “Create Certificate”
  3. Choose your CA certificate as the issuer
  4. Set validity period (typically 1-2 years for TLS certificates)
  5. Verify extensions include proper key usage (serverAuth, clientAuth as needed)
  6. Click OK to sign the certificate

3.3 Export and Deploy TLS Certificate#

# Export certificate chain from XCA
# File → Export → Certificate → Include certificate chain → PKCS#12 or PEM format

# Deploy to your applications/servers as needed

YubiKey-Specific Procedures#

YubiKey PIV Slot Management#

  • Slot 9a: Authentication (typical for CA operations)
  • Slot 9c: Digital Signature
  • Slot 9d: Key Management (encryption)
  • Slot 9e: Card Authentication[4]

PKCS#11 Configuration for XCA#

  1. In XCA, go to File → Options
  2. Navigate to PKCS#11 tab
  3. Add PKCS#11 provider: /run/current-system/sw/lib/libykcs11.so (NixOS path)
  4. Test connection to verify YubiKey visibility[1]

YubiKey PIN Management#

# Change PIN (default: 123456)
ykman piv access change-pin

# Change PUK (default: 12345678)  
ykman piv access change-puk

# Set management key (recommended to change from default)
ykman piv access change-management-key --generate

Certificate Lifecycle Management#

Annual Timeline#

  • Month 11: Begin monitoring expiration dates
  • Month 9-10: Plan renewal activities, update documentation
  • Month 6-8: Execute TLS certificate renewals
  • Month 3-4: Execute CA certificate renewals (if needed)
  • Month 1-2: Emergency renewal procedures if missed earlier windows

Best Practices#

  1. Never renew CA and TLS certificates simultaneously to avoid chain validation issues[2]
  2. Always test renewed certificates in staging environment first
  3. Maintain certificate chain continuity - avoid breaking existing trust relationships
  4. Document all changes including serial numbers and validity periods
  5. Keep offline backups of critical certificates and private keys[5]

Troubleshooting Common Issues#

“Failed to find key on token” Error#

# Verify YubiKey detection
lsusb | grep -i yubi

# Check PIV application status
ykman piv info

# Test PKCS#11 connectivity
pkcs11-tool --module /run/current-system/sw/lib/libykcs11.so --list-slots

# Reset PIN if locked
ykman piv access change-pin

XCA Database Schema Issues#

If you encounter database schema errors:

# Open database with sqlite3
sqlite3 /path/to/database.xdb

# Check schema version
SELECT value FROM settings WHERE key_='schema';

# If needed, adjust schema version for compatibility
UPDATE settings SET value='8' WHERE key_='schema';

Security Considerations#

YubiKey Security#

  • PIN Protection: Always use non-default PIN (minimum 6 digits)
  • Touch Policy: Configure touch-required for critical operations[6]
  • Management Key: Change from factory default and store securely
  • Physical Security: Treat YubiKey as critical security asset

Certificate Security#

  • Key Rotation: Generate new key pairs during renewal when security requires it[2]
  • Algorithm Strength: Use RSA 4096-bit or ECC P-384/P-521 for new certificates
  • Validity Periods: Follow principle of least privilege - shorter periods for higher-risk certificates[7]

Emergency Procedures#

If CA Private Key is Compromised#

  1. Immediately revoke all issued certificates
  2. Generate new CA with different key pair
  3. Re-issue all dependent certificates
  4. Update trust stores across all systems
  5. Document incident and update security procedures

If YubiKey is Lost/Damaged#

  1. Use backup YubiKey if available (recommended setup)
  2. Access escrow copies of critical private keys if available
  3. Execute emergency CA replacement procedure
  4. Review and update disaster recovery procedures

Maintenance Schedule#

Weekly#

  • Verify YubiKey accessibility and PIN functionality
  • Check XCA database accessibility

Monthly#

  • Review certificate expiration reports
  • Test backup and recovery procedures

Quarterly#

  • Update XCA software and dependencies
  • Review and update this documentation
  • Test emergency procedures

Annually#

  • Execute renewal procedures as outlined above
  • Comprehensive security review of PKI infrastructure
  • Update cryptographic algorithms as needed

Quick Reference Commands#

# YubiKey Status Check
ykman piv info

# Certificate Export
ykman piv certificates export 9a cert.pem

# Certificate Import  
yubico-piv-tool -s 9a -a import-certificate -i cert.pem

# Generate New Key
yubico-piv-tool -s 9a -a generate -A RSA2048 -o public.pem

# PKCS#11 Test
pkcs11-tool --module /run/current-system/sw/lib/libykcs11.so --list-objects

This README should be stored alongside your XCA database and updated annually with any procedural changes or lessons learned from renewal activities. The procedures outlined here follow industry best practices for PKI certificate lifecycle management while accommodating the specific requirements of YubiKey hardware security modules[1][2][8][7].

[1] https://hohnstaedt.de/xca-doc/html/certificates.html [2] https://www.encryptionconsulting.com/best-practice-ca-certificates-renewal/ [3] https://www.digicert.com/faq/public-trust-and-certificates/how-do-i-renew-a-tls-ssl-certificate [4] https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html [5] https://www.reddit.com/r/selfhosted/comments/b3djov/certificate_management_tools/ [6] https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html [7] https://www.linkedin.com/pulse/best-practices-certificate-authority-ca-certificates-wx46c [8] https://swjm.blog/everything-you-need-to-know-about-yubikey-piv-attestation-55cf793a52ea [9] https://www.reddit.com/r/yubikey/comments/o692fn/offline_ca/ [10] https://docs.digicert.com/en/certcentral/manage-certificates/renew-an-ssl-tls-certificate.html [11] https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/renew-root-ca-certificate [12] https://docs.keyfactor.com/ejbca/9.0/using-yubikeys-with-ejbca [13] https://github.com/chris2511/xca/issues/82 [14] https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_renewing-a-tls-certificate_securing-rhds [15] https://www.securew2.com/blog/renew-certificates-microsoft-ca [16] https://developers.yubico.com/PIV/Guides/Windows_CA_issued_certificate.html [17] https://www.ibm.com/docs/en/api-connect/10.0.x_cd?topic=connect-renewing-tls-certificates [18] https://learn.microsoft.com/en-us/answers/questions/1857526/renewing-clustered-certificate-authority [19] https://support.yubico.com/hc/en-us/articles/360015668979-Setting-up-smart-card-login-for-user-self-enrollment [20] https://www.sectigo.com/resource-library/how-to-renew-ssl-certificates-how-to-automate-the-process [21] https://docs.oracle.com/en-us/iaas/Content/certificates/renewing-certificate-authority.htm [22] https://support.sectigo.com/IS_KnowledgeDetailPage?Id=kA03l000000roEV [23] https://support.avaya.com/css/public/documents/101056931 [24] https://www.youtube.com/watch?v=CkCURf3aVis [25] https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/ [26] https://cromwell-intl.com/cybersecurity/yubikey/pam_pkcs11.html [27] https://github.com/openavr/simple-cert-authority [28] https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-authentication [29] https://www.securew2.com/blog/yubikey-piv-certificate-slot-configuration [30] https://gist.github.com/paultag/2c35b62e85a032856c2cb97345c3d24d [31] https://sslinsights.com/how-to-create-csr-and-key-attestation-using-yubikey-token/ [32] https://forum.yubico.com/viewtopice59e.html?p=9555 [33] https://support.yubico.com/hc/en-us/articles/18706910948380-Generating-a-CSR-using-OpenSSL-PKCS-11-provider-and-the-YubiHSM2 [34] https://www.digi.com/support/knowledge-base/how-to-create-a-ca-signed-certificate-using-xca-ap [35] https://curity.io/resources/learn/yubihsm-integration/ [36] https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/ [37] https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-pkcs11-guide.html [38] https://www.ssl.com/how-to/key-generation-and-attestation-with-yubikey/ [39] https://www.maine.gov/mema/sites/maine.gov.mema/files/inline-files/AD%20Certificate%20Services%20Smart%20Card.pdf [40] https://gist.github.com/faun/20b292ed2ccc36d7e4733d7329148dca [41] https://community.fortinet.com/tpykb84852/attachments/tpykb84852/TKB20/3938/1/Creating%20and%20Managing%20Certificates%20by%20using%20XCA%20tool.pdf [42] https://support.axway.com/en/articles/download-attachment/hash/e12358debe3bb3a1c55d82fcc1cf9633-1/kb/180293 [43] https://www.bussink.ch/?p=1847 [44] https://man.archlinux.org/man/extra/xca/xca.1.en [45] https://docs.johnsoncontrols.com/bas/r/Metasys/en-US/VRF-Smart-Gateway-Network-and-IT-Guidance-Technical-Bulletin/1/Steps/Creating-a-Certificate-Request/Creating-a-Certificate-Request-CSR [46] https://www.microsoft.com/pkiops/Docs/Content/policy/Microsoft_PKI_Services_CP_v3.1.7.pdf [47] https://www.youtube.com/watch?v=1ZJ2DKL_5Cg [48] https://www.idmanagement.gov/fpki/ [49] https://docs.fortinet.com/document/fortigate/6.2.17/cookbook/320832/creating-certificates-with-xca [50] https://github.com/chris2511/xca [51] https://www.ibm.com/docs/en/zos/3.1.0?topic=certificates-steps-renewing-your-pki-services-ca-certificate [52] https://documentation.suse.com/sles/15-SP6/html/SLES-all/cha-security-xca.html [53] https://hohnstaedt.de/xca-doc/html/privatekey.html [54] https://www.ibm.com/docs/en/zos/3.1.0?topic=certificates-steps-renewing-your-pki-services-ra-certificate [55] https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-security-xca.html [56] https://developer.hashicorp.com/vault/tutorials/pki/pki-engine [57] https://hohnstaedt.de/xca-doc/html/step-by-step.html