About the YubiKey and smart card capabilities

  • YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.”
  • Performs RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common interfaces such as PKCS#11 (Multi-platform) and a Smart Card Minidriver for Microsoft Windows.

General information

  • Supports twelve key slots on the YubiKey 5 Series keys(max per cert size of 3,052 bytes)
  • Each slot is capable of holding an X.509 certificate, along with its accompanying private key.
  • Supports key sizes of RSA 2048 or ECC p-256, or ECC p-384.
  • All functionality is available over both contact and contactless (NFC only) interfaces.

YubiKey smart card minidriver

  • YubiKey provides baseline functionality to authenticate as a PIV-compliant smart card out-of-the-box on Microsoft Windows Server 2008 R2 and later servers, and Microsoft Windows 7 and later clients.
  • The YubiKey Smart Card Minidriver provides additional smart functionality: certificate and PIN management via the native Windows user interface, support for ECC key algorithms, set touch policy for private key use.
  • Request a certificate from a Windows Certification Authority, generate a self-signed certificate, or import an existing certificate to the YubiKey. Generate a certificate based on the Server CA Template stored in the secure element on the device. Supports all Windows smart card behaviors, including lock on removal.
  • Identifies as a Microsoft USB CCID smart card reader and NIST SP 800-73 PIV smart card using the base Microsoft driver.
  • Identifies as a YubiKey Smart Card using YubiKey smart card minidriver.

Certificate authority with YubiKey

  • Set up a Certificate Authority (CA) with subordinate CA private keys stored on YubiKey to sign end entity certificates
  • Supports up to RSA 2048 bit keys for the subordinate CAs and end entity certificates.

OS X code signing

  • Generate a certificate on the YubiKey, submit the certificate request to Apple, and use it for OS X code signing. Certificates will also be loaded to the Apple Keychain.
  • Use the certificates as usual with codesign, pkgbuild, productbuild, and productsign commands.

SSH with PIV and PKCS11

  • The YubiKey with PIV can work for public key authentication with OpenSSH through PKCS11. Primarily on Mac OS X or Linux systems with the OpenSC software installed.
  • Uses a self-signed cert loaded on the slot 9a of the PIV applet for SSH Authentication via OpenSC.

Discover 3rd party services that work with the YubiKey using PIV (smart card) in the works with YubiKey catalog.

Learn More

Get the YubiKey smart card minidriver

A Minidriver for the Windows OS that allows smart card management in the native Windows interface and adds support for ECC key algorithms. Download the YubiKey Smart Card Minidriver from our downloads page.