yubikey piv certificate management

YubiKey PIV Certificate Management

Patrick Grubbs Consumer Protection

YubiKey PIV Certificate Management

Many organizations purchase security keys like the YubiKey to streamline and secure access to various applications, but they can be used for much more.

The YubiKey in particular has the ability to be configured as the all-in-one answer to secure authentication – even for strict standards like PIV.

Do YubiKeys Have PIV-Compatible Smart Cards?

Yes, YubiKey 4 and 5 series keys can be configured with PIV certificates and PINs as per the NIST SP 800-73 specification set by the US Federal Government. Using a private key stored on the smart card, you can sign and decrypt using either RSA or ECC. YubiKeys have the added bonus of working with both contact and contactless interfaces, which can’t be said for most PIV devices.

YubiKey makes security keys that can plug into a wide array of ports (USB-B, USB-C, and Lightning Adaptor) as well as NFC options, so you can use a YubiKey for PIV authentication on any device.

YubiKey Smart Card Management System (SCMS) Options

While Yubico used to offer a dedicated YubiKey PIV Manager tool, the project has since been deprecated. Most of the functionality has been moved to the general purpose YubiKey Manager tool. There is another tool, the Yubico PIV Tool (which is still supported), that offers PIV management via command line.

Additionally, Yubico offers a Mini Smart Card Driver to augment the basic PIV capabilities of a default YubiKey with more features and integration to Windows infrastructure. The Mini Driver allows you to use Microsoft Windows Server 2008 R2 (or later versions) to manage PIV certificates and PINs, as well as using a Windows certificate authority to sign and issue certificates to your YubiKey.

In our capacity as an official Yubico Partner, SecureW2 has also developed a YubiKey Smart Card Management solution. It has all of the same functionalities as Yubico’s toolset, but it integrates into a PKI so that you can manage PIV certificates all from one place.

Enhanced YubiKey PIV Attestation

YubiKey 4.3 and newer come equipped with an x.509 certificate that enables attestation for the PIV application. Attestation of certificates is a vital step in securing your authentication because it allows you to verify the origins of a certificate, ensuring that it’s a legitimate key pair.

The only trouble with the native implementation is that it requires you to use the PIV Tool command line to manually attest each certificate on each YubiKey. As you can imagine, this quickly becomes tedious.

SecureW2 can enhance your PIV attestation by integrating it into a PKI (either your existing PKI or our own managed option). You can replace the attestation certificate signed by the Yubico PIV certificate authority and replace it with your own, as well as scale the process for managing many YubiKeys simultaneously.

How to Use YubiKey for PIV Authentication

yubikey piv certificate management

The actual act of using a YubiKey for PIV authentication is intuitive to anyone who has ever used another PIV card. It’s as simple as plugging it into the reader and tapping to authenticate, or in the case of NFC-enabled readers, tapping the key to the device.

What Applications Accept PIV Authentication?

  • VPN
  • Wi-Fi
  • Web applications
  • Desktop logon
  • Document signing
  • E-readers

How to Install and Manage PIV Certificates on YubiKey

It’s possible to use the command line interface to install or remove certificates from YubiKey, but it’s quite tedious. Using the YubiKey Manager provided by Yubico is significantly better since it has a GUI, but there is still the major shortcoming of requiring manual configuration for each key.

Neither of those options are feasible for YubiKey PIV management since PIV is rarely deployed at a scale less than enterprise-level. Any instance in which PIV authentication is used would require the management of hundreds or thousands of smart cards.

That’s why the best option for YubiKey PIV certificate management is SecureW2’s SCMS / CMS solution. Our certificate management system is able to deploy and manage certificates on any smart card, including security keys like the YubiKey. With our management portal, you can configure payloads to push to each device to automatically enroll them for a unique certificate.

Deploy PIN/PUK Complexity Requirements

Sometimes it goes overlooked, but a secure, unique PIN (and PUK!) is critical to using YubiKeys securely. Our YubiKey management solution allows you to set PIN/PUK complexity requirements for your organization.

Our smart card management system is supported by our world-class managed PKI, but we’re able to integrate with any existing network infrastructure you might already have. You can use our services a la carte, as many choose to do with our stellar Cloud RADIUS, or we can upgrade your whole network to WPA2-Enterprise with EAP-TLS authentication in just a few days.

Ready to use your YubiKeys for PIV authentication? We have affordable options for organizations of all sizes. Click here to see our pricing.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand