ImportCertificate Method

ImportCertificate(Byte, X509Certificate2)

Import a certificate into the given slot.

C#
public void ImportCertificate(byte slotNumber, X509Certificate2 certificate)

Parameters

Type Name Description
System.Byte slotNumber

The slot into which the key will be imported.
System.Security.Cryptography.X509Certificates.X509Certificate2 certificate

The certificate to import into the YubiKey.

Exceptions

Type Condition
System.ArgumentNullException

The certificate argument is null.
System.ArgumentException

The slot specified is not valid for importing a certificate.
System.InvalidOperationException

There is no KeyCollector loaded, the key provided was not a valid Triple-DES key, or the YubiKey had some other error, such as unreliable connection.
System.OperationCanceledException

The user canceled management key collection.
System.Security.SecurityException

Mutual authentication was performed and the YubiKey was not authenticated.

Remarks

When you import a certificate, you specify which slot will hold this cert. If there is a cert in that slot already, this method will replace it.

The PIV standard specifies that the maximum length of a cert is 1,856 bytes. The YubiKey allows for certs up to 3,052 bytes. However, if you want your application to be PIV-compliant, then use certs no longer than 1,856 bytes.

This method will not verify that the cert matches the private key in the slot. It will simply store the cert given in the slot specified.

In order to perform this operation, the management key must be authenticated during this session. If it has not been authenticated, this method will call AuthenticateManagementKey(Boolean). That is, your application does not need to authenticate the management key separately (i.e., call TryAuthenticateManagementKey or AuthenticateManagementKey), this method will determine if the management key has been authenticated or not, and if not, it will make the call to perform mutual authentication.

The authentication method will collect the management key using the KeyCollector delegate. If no such delegate has been set, it will throw an exception.

The KeyCollector has an option to cancel the operation. That is, the AuthenticateManagementKey method will call the KeyCollector requesting the management key, and it is possible that during the collection operations, the user cancels. The KeyCollector will return to the authentication method noting the cancellation. In that case, it will throw an exception. If you want the authentication to return false on user cancellation, you must call TryAuthenticateManagementKey(Boolean) directly before calling this method.