Troubleshooting - Retired PIV Slots Unavailable When Accessing via PKCS11

Issue: Certificates enrolled in the retired PIV slots are not available via PKCS11 when more than 4 have been enrolled using the YubiKey Smart Card Minidriver.


Cause: The YubiKey Smart Card Minidriver treats the YubiKey as a GIDS-compatible smart card (as opposed to PIV), meaning it does not write a Key History Object (0x5FC10C) to the YubiKey. A Key History Object is required for PKCS11 to know that certificates are enrolled in the retired PIV slots on the YubiKey.


Solution: In order for PKCS11 to recognize certificates present in retired PIV slots, a Key History Object (0x5FC10C) must be populated.


This can be accomplished by running the following command, replacing <PIN> with the PIV PIN of the YubiKey. This command requires the command-line version of YubiKey Manager. See this page for guidance obtaining command-line YubiKey Manager, and this page for guidance using it.


echo C10114C20100FE00 | ykman piv objects import 0x5FC10C - -P <PIN>


To verify the Key History Object was populated successfully:


  1. Export the data from the object at 0x5FC10C and save to a text file.
    • ykman piv objects export 0x5FC10C keyhistory.txt
  2. Verify the file contains the correct data, in this example we use cat to read the text file.
    • cat keyhistory.txt
  3. If the Key History object was written successfully you should see the following text.
    • C10114C20100FE00