Main Page: YubiKey smart card deployment guide
TABLE OF CONTENTS
YubiKey Smart Card Minidriver features
Use multiple authentication credentials
Use the YubiKey Smart Card Minidriver to view all user authentication certificates on the YubiKey smart card. They are displayed for use by applications based on the certificate's key usage extension and extended key usage extension.
Set / Change smart card PIN
- Provides the ability to set the smart card PIN during enrollment through the Windows interface
- Provides the ability to change the PIN directly through the Windows interface
Unblock a blocked PIN
When a user enters their PIN incorrectly three times consecutively, the PIN is blocked and the smart card features are unusable until the PIN is unblocked.
If a PIN Unblocking Key (PUK) was created for the device, the YubiKey Smart Card Minidriver allows the PIN to be unblocked directly through the Windows interface by providing the PIN Unblocking Key (PUK) in hexadecimal format.
Warning: Creation of a PUK cannot be done via the YubiKey Smart Card Minidriver. If you want to create a custom PUK for a YubiKey, follow the instructions in YubiKey PIN and PUK user management in Windows using YubiKey Manager (CLI), or you can use the Yubico PIV tool (CLI) or Yubico Authenticator, if you require a graphical user interface (GUI). If a PUK is not created and you forget your PIN, the device will need to be reset which permanently deletes all private keys and certificates, and then new certificates and private keys must be created!
Set policy for touch to allow private key use
(YubiKey 5 Series and YubiKey 4 Series devices on firmware version 4.3 and higher are required - the YubiKey NEO Series is not supported)
Set the policy to determine if touching the YubiKey's capacitive touch sensor is required to use the certificate's private key. This is an additional protection against use of a private key without explicit user intent. The policy is stored in the YubiKey's secure element during private key creation or import and cannot be changed. If a different policy is desired, a new certificate and private key must be created.
Touch policy options:
- Cached (for 15 seconds per touch)
- Never (No touch required) <default>
The default can be changed via a Windows registry entry and applies to all new certificate / private key pairs added to the YubiKey. If different policies are required per certificate, the registry entry must be changed prior to each certificate's creation. See Deploying the YubiKey Smart Card Minidriver to workstations and servers for additional information.
Warning: Due to OS limitations, there is no visual prompt on the screen when touch is required in this scenario (Microsoft's minidriver specification that ykmd must adhere to has no concept of touch requirement as it was designed for standard card form factor smart cards such as the Common Access Card). User education and user experience must be strongly considered when making this decision.
Certificate enrollment (add user certificate)
The YubiKey Smart Card Minidriver adds the following certificate deployment options:
- Auto-enrollment, enabling users to register their YubiKey directly through the Windows built-in certificate provisioning process
- Administrators enrolling on behalf of other users directly through the Microsoft MMC console of Windows Server
Import certificate chains for user certificates
When user certificates are added to a smart card via Microsoft auto-enrollment or through Windows MMC, the intermediate certificate(s) and root certificate (e.g. the certificate chain), are not added to the smart card.
If adding the complete certificate chain is required, the YubiKey Smart Card Minidriver enables root and intermediate certificates to be imported through the Microsoft certutil command line utility.
Supported key algorithms
The YubiKey Smart Card Minidriver supports the following algorithms for its certificate keys:
-
RSA 2048-bit keys
- RSA 3072-bit keys (requires YubiKey 5 Series firmware 5.7 or greater, and YubiKey Smart Card Minidriver version 4.6.3.252 or greater)
- RSA 4096-bit keys
- (requires YubiKey 5 Series firmware 5.7 or greater, and YubiKey Smart Card Minidriver version 4.6.3.252 or greater)
-
(ECC) ECDH/ECDSA-P256 keys
-
(ECC) ECDH/ECDSA-P384 keys