# User Certificate {% hint style="warning" %} SCEPman Enterprise Edition only {% endhint %} {% hint style="info" %} This feature requires version 2.4 or above {% endhint %} You can manually generate X.509 user certificates including a private key via the SCEPman Certificate Master Web UI. Those certificates can be used in various certificate-based authentication (CBA) scenarios, for smart cards and email signatures. By default, generated certificates will have the EKU **Client Authentication** and a Subject Alternative Name (SAN) set to a UPN-type property where the value matches the UPN provided in the UI. ### Issuing a User Certificate 1. Navigate to **New User Certificate** in the SCEPman Certificate Master menu. 2. Enter a UPN for the certificate and select the required EKUs. 3. Hit **Submit** and the browser will automatically download the certificate with the private key in PKCS#12/PFX format after the certificate is issued a few seconds later. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password. {% hint style="warning" %} Be aware that once you navigate away from this page, the password will no longer be accessible. {% endhint %}

Certificate Master - New User Certificate

## YubiKey Perform below steps to enroll a smart card certificate to your YubiKey device. ### Checklist: Prerequisites * [ ] *Mandatory* - Access to Certificate Master and a suitable role (`Admin.Full` , `Request.All`,`Request.User`) * [ ] *Mandatory* - Access to a YubiKey device with a free smart card slot * [ ] *Mandatory* - YubiKey Manager is installed ### Steps 1. Open the Certificate Master web portal and click on the **+** icon 2. Select **New User Certificate** 3. Specify the **UPN** as per your requirements 4. Set the **Key Length** to **2048** bits (YubiKey currently does not support 4096-bit keys). 5. Select **PKCS#12** as **Download file format** 6. Select **Client Authentication** and **Smart card Logon** from the **Extended Key Usages**

1. Before clicking **Submit**, ensure to take temporary note of the **Password** as it will be required when importing the certificate to the YubiKey. 2. Open the YubiKey Manager 3. Navigate to **Applications** **>** **PIV** and click **Configure Certificates**

4. Select **Authentication (Slot 9a)** and click **Import** 5. Upload the certificate that was previously generated from Certificate Master and provide the **Password**. 6. Set a **Management key** and click **OK**

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/certificate-management/certificate-master/user-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.