Issue: Certificates enrolled in the retired PIV slots are not available via PKCS11 when more than 4 have been enrolled using the YubiKey Smart Card Minidriver.
Cause: The YubiKey Smart Card Minidriver treats the YubiKey as a GIDS-compatible smart card (as opposed to PIV), meaning it does not write a Key History Object (0x5FC10C) to the YubiKey. A Key History Object is required for PKCS11 to know that certificates are enrolled in the retired PIV slots on the YubiKey.
Solution: In order for PKCS11 to recognize certificates present in retired PIV slots, a Key History Object (0x5FC10C) must be populated.
This can be accomplished by running the following command, replacing <PIN> with the PIV PIN of the YubiKey. This command requires the command-line version of YubiKey Manager. See this page for guidance obtaining command-line YubiKey Manager, and this page for guidance using it.
echo C10114C20100FE00 | ykman piv objects import 0x5FC10C - -P <PIN>
To verify the Key History Object was populated successfully:
- Export the data from the object at 0x5FC10C and save to a text file.
- ykman piv objects export 0x5FC10C keyhistory.txt
- Verify the file contains the correct data, in this example we use cat to read the text file.
- cat keyhistory.txt
- If the Key History object was written successfully you should see the following text.
- C10114C20100FE00