Troubleshooting - Retired PIV Slots Unavailable When Accessing via PKCS11


Issue: Certificates enrolled in the retired PIV slots are not available via PKCS11 when more than 4 have been enrolled using the YubiKey Smart Card Minidriver.

 

Cause: The YubiKey Smart Card Minidriver treats the YubiKey as a GIDS-compatible smart card (as opposed to PIV), meaning it does not write a Key History Object (0x5FC10C) to the YubiKey. A Key History Object is required for PKCS11 to know that certificates are enrolled in the retired PIV slots on the YubiKey.

 

Solution: In order for PKCS11 to recognize certificates present in retired PIV slots, a Key History Object (0x5FC10C) must be populated.

 

This can be accomplished by running the following command, replacing <PIN> with the PIV PIN of the YubiKey. This command requires the command-line version of YubiKey Manager. See this page for guidance obtaining command-line YubiKey Manager, and this page for guidance using it.

 

echo C10114C20100FE00 | ykman piv objects import 0x5FC10C - -P <PIN>

 

To verify the Key History Object was populated successfully:

 

  1. Export the data from the object at 0x5FC10C and save to a text file.
    • ykman piv objects export 0x5FC10C keyhistory.txt
  2. Verify the file contains the correct data, in this example we use cat to read the text file.
    • cat keyhistory.txt
  3. If the Key History object was written successfully you should see the following text.
    • C10114C20100FE00