YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, and YubiKey NEO provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.”
Performs RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common interfaces such as PKCS#11(Multi-platform) and a Smart Card Minidriver for Microsoft Windows.
Supports twelve key slots on the YubiKey 4 (max per cert size of 3,052 bytes)
Supports four key slots on the YubiKey NEO (max per cert size of 2,024 bytes)
Each slot is capable of holding an X.509 certificate, along with its accompanying private key.
Supports key sizes of RSA 2048 or ECC p-256, or ECC p-384.
All functionality is available over both contact and contactless (NEO only) interfaces.
YubiKey provides baseline functionality to authenticate as a PIV-compliant smart card out-of-the-box on Microsoft Windows Server 2008 R2 and later servers, and Microsoft Windows 7 and later clients.
The YubiKey Smart Card Minidriver provides additional smart functionality: certificate and PIN management via the native Windows user interface, support for ECC key algorithms, set touch policy for private key use.
Request a certificate from a Windows Certification Authority, generate a self-signed certificate, or import an existing certificate to the YubiKey. Generate a certificate based on the Server CA Template stored in the secure element on the device. Supports all Windows smart card behaviors, including lock on removal.
Identifies as a Microsoft USB CCID smart card reader and NIST SP 800-73 PIV smart card using the base Microsoft driver.
Identifies as a YubiKey Smart Card using YubiKey smart card minidriver.
Certificate Authority with YubiKey
Set up a Certificate Authority (CA) with subordinate CA private keys stored on YubiKey to sign end entity certificates
Supports up to RSA 2048 bit keys for the subordinate CAs and end entity certificates.
OS X Code Signing
Generate a certificate on the YubiKey, submit the certificate request to Apple, and use it for OS X code signing. Certificates will also be loaded to the Apple Keychain.
Use the certificates as usual with codesign, pkgbuild, productbuild, and productsign commands.
SSH with PIV and PKCS11
The YubiKey with PIV can work for public key authentication with OpenSSH through PKCS11. Primarily on Mac OS X or Linux systems with the OpenSC software installed.
Uses a self-signed cert loaded on the slot 9a of the PIV applet for SSH Authentication via OpenSC.
More Places to Use the YubiKey with Smart Card/PIV
A Minidriver for the Windows OS that allows smart card management in the native Windows interface and adds support for ECC key algorithms. Download the YubiKey Smart Card Minidriver from ourDownloads page.