# User Certificate

{% hint style="warning" %}
SCEPman Enterprise Edition only
{% endhint %}

{% hint style="info" %}
This feature requires version 2.4 or above
{% endhint %}

You can manually generate X.509 user certificates including a private key via the SCEPman Certificate Master Web UI. Those certificates can be used in various certificate-based authentication (CBA) scenarios, for smart cards and email signatures. By default, generated certificates will have the EKU **Client Authentication** and a Subject Alternative Name (SAN) set to a UPN-type property where the value matches the UPN provided in the UI.

### Issuing a User Certificate

1. Navigate to **New User Certificate** in the SCEPman Certificate Master menu. 
2. Enter a UPN for the certificate and select the required EKUs. 
3. Hit **Submit** and the browser will automatically download the certificate with the private key in PKCS#12/PFX format after the certificate is issued a few seconds later. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password.

{% hint style="warning" %}
Be aware that once you navigate away from this page, the password will no longer be accessible.
{% endhint %}

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FfNlpkOFKRoaOJXWCTAAG%2Fimage.png?alt=media&#x26;token=e7a0a46d-a0bc-4cd4-a237-4dc088f5b966" alt=""><figcaption><p>Certificate Master - New User Certificate</p></figcaption></figure>

## YubiKey

Perform below steps to enroll a smart card certificate to your YubiKey device.

### Checklist: Prerequisites

* [ ] *Mandatory* - Access to Certificate Master and a suitable role (`Admin.Full` , `Request.All`,`Request.User`)
* [ ] *Mandatory* - Access to a YubiKey device with a free smart card slot
* [ ] *Mandatory* - YubiKey Manager is installed

### Steps

1. Open the Certificate Master web portal and click on the **+** icon
2. Select **New User Certificate**
3. Specify the **UPN** as per your requirements
4. Set the **Key Length** to **2048** bits (YubiKey currently does not support 4096-bit keys).
5. Select **PKCS#12** as **Download file format**
6. Select **Client Authentication** and **Smart card Logon** from the **Extended Key Usages**

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2F2DV0KKFUYhO0vtguLIjV%2Fimage.png?alt=media&#x26;token=e53988a2-4cf0-497e-afc4-3a036509c2bb" alt=""><figcaption></figcaption></figure>

1. Before clicking **Submit**, ensure to take temporary note of the **Password** as it will be required when importing the certificate to the YubiKey.
2. Open the YubiKey Manager
3. Navigate to **Applications** **>** **PIV** and click **Configure Certificates**

   <figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FkWxntxxG3C8RzLwHC0vW%2Fimage.png?alt=media&#x26;token=b15a3e59-e989-4bd0-a000-80a080ce62db" alt=""><figcaption></figcaption></figure>
4. Select **Authentication (Slot 9a)** and click **Import**
5. Upload the certificate that was previously generated from Certificate Master and provide the **Password**.
6. Set a **Management key** and click **OK**

   <figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FmqPYzFhQBzOLZzjdyriC%2Fimage.png?alt=media&#x26;token=8ca60bb1-9d37-442d-8892-ac606d8f5a23" alt=""><figcaption></figcaption></figure>