1. Yubico
  2. Phishing-resistant MFA
  3. Microsoft On-Prem and Smart Cards

Pre-provisioning a YubiKey for use with the YubiKey Smart Card Minidriver

Avatar
Matthew Legitt
Created - Updated 

bulb-light-icon.svg Tip: This article covers using the YubiKey Manager CLI to personalize the PIV application on the YubiKey. If you'd prefer a GUI for user experience, use Yubico Authenticator.

 

This article covers pre-provisioning the YubiKey's PIV application with a known PIN Unblocking Key (PUK) and management key for use with the YubiKey Smart Card Minidriver.

 

First, download the latest version of YubiKey Manager CLI here, and install it. After installation, open an elevated CMD/PowerShell or Windows Terminal, and change its directory to YubiKey Manager's installation directory. This is most likely "C:\Program Files\Yubico\YubiKey Manager" but could be "C:\Program Files (x86)\Yubico\YubiKey Manager" if you installed 32-bit YubiKey Manager CLI on 64-bit Windows.

 

Initialize the YubiKey to prep for certificate enrollment by running:

 

ykman piv objects generate chuid

 

Change the PIN by running:

 

ykman piv access change-pin -P <current PIN> -n <new pin>

 

If a default PUK is detected during the first enrollment using the YubiKey Smart Card Minidriver, the Minidriver will block the PUK for security (since its value is known). If you wish to enable PIN unblocking via PUK, change the PUK from its default value prior to performing the first enrollment. Change the PUK by running:

 

ykman piv access change-puk -p <current puk> -n <new puk>

 

By default, if the YubiKey Smart Card Minidriver detects a default management key, during first enrollment, it will upgrade it to a secure, random value, and protected access to it with the PIN. We don't recommend changing the management key after it has been upgraded to a secure random value. Since the management key is now a random value protected by the PIN, if the PIN/PUK is blocked, any attempt to use the management key will fail, essentially requiring that the YubiKey's PIV application be reset.

Change the management key by running the following. YubiKey Manager CLI should offer to use the default MK value so you don't need to type it manually. If it doesn't, or if using this results in an error, try resetting the YubiKey's PIV application, and trying again.

 

 ykman piv access change-management-key -P <PIN> --protect --new-management-key <management key>

 

To change the management key after it has been upgraded by the Minidriver, run the following.

 

ykman piv access change-management-key -P <PIN> --protect --new-management-key <management key>