YubiKey Smart Card Deployment Guide


Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. Our core invention, the YubiKey, is a small USB and NFC device supporting multiple authentication and cryptographic protocols. With a simple touch, it protects access to computers, networks, and online services for the world’s largest organizations.

PIV and YubiKeys

The YubiKey 5 Series devices, YubiKey 4 Series devices, and the YubiKey FIPS Series devices all support the Personal Identity and Verification Card (PIV) interface specified in the National Institute of Standards and Technology (NIST), SP 800-73-4 document, Interfaces for Personal Identity Verification. Microsoft Windows supports traditional PIV smart cards for user authentication, allowing the YubiKey to be utilized as a strong authentication solution.

The YubiKey Minidriver extends the support of the YubiKey on Windows from just authentication to allowing Windows to load and directly manage certificates on it. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the YubiKey.

PIV Deployment

This document covers the basic steps required to set up an Active Directory domain environment for smart card authentication, including considerations before provisioning YubiKeys for smart card login. We recommend that a qualified domain administrator be in charge of the process and that you use these instructions as a guideline for deployment. Rather than cover the complexities inherent in a corporate environment (for example, an Enterprise Root Certification Authority, multiple Subordinate Certificate Authorities, Certificate Revocation Lists, and so on), these instructions cover only the basic topics.


YubiKey Smart Card & Minidriver Deployment Guides

YubiKey Minidriver Features
Overview of the features and functions the YubiKey Minidriver adds to the native Windows Smart Card framework.

YubiKey Smart Card Deployment Considerations
YubiKey Minidriver environmental and system requirements and compatibility, as well as items to consider prior to setup.

Setting up Windows Server for YubiKey PIV Authentication
Configuring Windows Server for Smart Card Authentication using the YubiKey.

Smart Card Login for User Self-Enrollment
Steps on setting up Windows Server to allow users to enroll their own YubiKeys as smart cards directly.

Smart Card Login for Enroll on Behalf of
Steps on setting up Windows Server to allow IT admins, help desk staff or others to enroll YubiKeys on behalf of other users.

Smart Card Deployment: Manually Importing User Certificates
Instructions on importing User certificates created on a different server.

Deploying the YubiKey Minidriver to Workstations and Servers
How to deploy the YubiKey Minidriver to endpoints and servers.

YubiKey PIN and PUK User Management
How users and administrators can set or change the PIN and PIN Unlock Key (PUK)

Smart Card Basic Troubleshooting
Basic troubleshooting for the YubiKey as a PIV Smart Card with Windows.


Getting Additional Help

For more information, and to get help with your YubiKeys, see:

TIP: When filing a ticket, to assist in diagnosing issues, we recommend that you include a log file containing the issue observed. To enable the debug log file, add the following registry key. Log files will be created for each running process in C:\Logs. Key: HKLM\Software\Yubico\ykmd  Value: DebugOn (DWORD) - to enable logging set value to 1.

Yubico Support is limited to addressing issues regarding the direct use of YubiKeys with a deployed Windows Active Directory Certificate Services. Issues falling outside of this responsibility include but are not limited to inaccessible CRL, domain trust issues, expired server certificates, cached credentials, Kerberos ticket issues and other features outside of Smart Card authentication and issuance.