[viraptor]

Sounds like the hardware key requires a pin, but not physical presence (i.e. not a button touch), so it can be automated https://stackoverflow.com/questions/17927895/automate-extend...

[inspector-g]

One of my clients has strict requirements for an automated build process, and we managed to use an EV code signing cert on a YubiKey w/ PIN - so it’s definitely possible with a little leg work.

After having gone through it, I agree with other posts that the main annoyance is the verification process and weeks of delays/back-and-forth. That, and the inconvenience of now having a single point of failure in the build process (unless multiple certs are purchased).

[traceroute66]

> inconvenience of now having a single point of failure in the build process (unless multiple certs are purchased).

Except that's not quite true is it.

Most (all ?) devices (even the cheap USB ones) have secure wrapped backup/restore mechanisms.

All you had to do was set up your device correctly in the first place (since the wrapping can't be activated retrospectively).

Some of the cert vendors even have ready-made instructions available to follow on their website telling you exactly how to do this: https://www.ssltrust.co.uk/help/setup-guides/mofn-setup-nitr...

RTFM as they say. ;-)

[inspector-g]

Correct me if I'm wrong, but when a fully preconfigured YubiKey is shipped to you as part of the EV cert fulfillment, then there is no way to do this after-the-fact.