How to extend expired subkeys in FIDO U2F hardware keys

Table of contents

No heading

No headings in the article.

If your subkeys have expired and you want to extend their expiration dates on your YubiKeys, follow these steps on your macOS machine. We'll use the command line tool gpg to perform these operations. Please ensure you have GnuPG installed on your Mac. If not, you can install it using Homebrew ( by running brew install gnupg.

  1. Insert the first YubiKey: Insert one of the YubiKeys into your Mac's USB port.

  2. List keys: In the terminal, type the following command to list your GPG keys and find the Key ID you want to extend:

gpg --list-keys

Find the Key ID associated with your key. It's usually an 8 or 16-character alphanumeric string (e.g., 1234ABCD).

  1. Edit the key: Start editing the key using the following command:
gpg --edit-key <your_key_id>

Replace <your_key_id> with the actual Key ID.

  1. Toggle to key 1: Enter the following command to select the first subkey:
key 1
  1. Extend the expiration date: To extend the subkey's expiration date, use the expire command. You can set a new expiration date by specifying the number of days, weeks, months, or years from today:

Follow the prompts to set a new expiration date. It's recommended to set a reasonable expiry date (e.g., 2 or 3 years) to maintain security.

  1. Repeat for other subkeys: If you have more subkeys to extend, repeat steps 4 and 5 for each of them. Replace key 1 with key 2, key 3, etc., as needed.

  2. Save changes: Once you've set new expiration dates for all the subkeys, enter the following command to save the changes:

  1. Repeat for other YubiKeys: Eject the first YubiKey and repeat steps 1-7 for each of your remaining YubiKeys.

Once you've completed these steps for all your YubiKeys, the subkeys' expiration dates will be extended. You can verify the changes by running gpg --list-keys again and checking the updated expiration dates for your subkeys.