Main Page: YubiKey Smart Card Deployment Guide
TABLE OF CONTENTS
- YubiKey Smart Card Minidriver Features
YubiKey Smart Card Minidriver Features
Use Multiple Authentication Credentials
Use the Minidriver to view all User Authentication Certificates on the YubiKey smart card. They are displayed for use by applications based on the certificate's Key Usage Extension and Extended Key Usage Extension.
Set / Change Smart Card PIN
- Provide the ability to set the smart card PIN during enrollment through the Windows interface.
- Provides the ability to Change the PIN directly through the Windows interface
Unblock a Blocked PIN
When a user enters their PIN incorrectly three times consecutively, the PIN is blocked and the smart card features are unusable until the PIN is unblocked.
If a PIN Unlock Key (PUK) was created for the device, the YubiKey Minidriver allows the PIN to be unblocked directly in the Windows interface by providing the PIN Unlock Key (PUK), in hexadecimal format.
IMPORTANT: Creation of a PUK cannot be done via the minidriver. If you want to create a PUK for a YubiKey, follow the instructions in the "Setting PIN Unblock Code (PUK)" using YubiKey Manager, or the Yubico PIV tool. If a PUK is not created and you forget your PIN, the device will need to be reset which permanently deletes all private keys and certificates, then new certificates and private keys must be created!
Set Policy for Touch to Allow Private Key Use
(YubiKey 4 & 5 devices on firmware version 4.3 and higher, YubiKey NEO not supported)
Set the policy to determine if touching the YubiKey's button is required to use the certificate's private key. This is an additional protection against use of a private key without explicit user intent. The policy is stored in the YubiKey's secure element during private key creation or import and cannot be changed. If a different policy is desired, a new certificate and private key must be created.
Touch Policy Options:
- Cached (for 15 seconds per touch)
- Never (No touch required) <default>
The default can be changed via a Windows registry entry and applies to all new certificate / private key pairs added to the YubiKey. If different policies are required per certificate, the registry entry must be changed prior to each certificate's creation. See Deploying the YubiKey Minidriver to Workstations and Servers for additional information.
Certificate Enrollment (add user certificate)
The YubiKey Minidriver adds the following certificate deployment options:
- Auto-enrollment, enabling users to register their YubiKey directly through the Windows built-in certificate provisioning process
- Administrators enrolling on behalf of other users directly through the Microsoft MMC console of Windows Server
Import Certificate Chains for User Certificates
When User Certificates are added to a smart card via MS auto-enrollment or through Windows MMC, the intermediate certificate(s) and root certificate, aka certificate chain, are not added to the smart card.
If adding the complete certificate chain is required, the YubiKey Minidriver enables root and intermediate certificates to be imported through the MS Certutil command line utility.
Supported Key Algorithms
The YubiKey Minidriver supports the following algorithms for its certificate keys:
RSA 2048-bit keys
(ECC) ECDH/ECDSA-P256 keys
(ECC) ECDH/ECDSA-P384 keys