About the YubiKey and Smart Card/PIV

  • YubiKey 4, YubiKey 4 Nano, and YubiKey NEO support the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.”
  • Performs RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common interfaces such as PKCS#11.

General Information

  • Supports four key slots: PIV Authentication, Digital Signature, Key Management, and Card Authentication.
  • Each slot is capable of holding an X.509 certificate, along with its accompanying private key.
  • Supports key sizes up to RSA 2048, or ECC secp256r1 keys.
  • All functionality is available over both contact and contactless interfaces.

Windows Certificate

  • YubiKey works as a PIV-compliant smart card out-of-the-box with compatibility for Microsoft Windows Server 2008 R2 and later servers, and Microsoft Windows 7 and later clients.
  • Request a certificate from a Windows Certification Authority, generate a self-signed certificate, or import an existing certificate to the YubiKey. Generate a certificate based on the Server CA Template stored in the secure element on the device. Supports all Windows smart card behaviors, including lock on removal. No additional software is required for authentication. Identifies as a Microsoft USB CCID smart card reader and NIST  SP 800-73 PIV smart card.

Certificate Authority with YubiKey

  • Set up a Certificate Authority (CA) with subordinate CA private keys stored on YubiKey to sign end entity certificates
  • Supports up to RSA 2048 bit keys for the subordinate CAs and end entity certificates.

OS X Code Signing

  • Generate a certificate on the YubiKey, submit the certificate request to Apple, and use it for OS X code signing. Certificates will also be loaded to the Apple Keychain.
  • Use the certificates as usual with codesign, pkgbuild, productbuild, and productsign commands.

SSH with PIV and PKCS11

  • The YubiKey with PIV can work for public key authentication with OpenSSH through PKCS11. Primarily on Mac OS X or Linux systems with the OpenSC software installed.
  • Uses a self-signed cert loaded on the slot 9a of the PIV applet for SSH Authentication via OpenSC.

More Places to Use the YubiKey with Smart Card/PIV

Docker Hardware Signing

  • Enable DOCKER_CONTENT_TRUST=1; * feature currently available in Docker Experimental
  • Generate a Docker Content Trust root key for yourself.
  • The root key is generated inside the YubiKey, then generate keys for your repository, and push the signed image.
  • Users who have Docker Content Trust enabled can now securely download your content.

Centrify Identity Platform

  • Use YubiKeys with the Centrify Identity Platform to enable seamless two-factor authentication
  • Smart card PIV re-authentication for Windows privilege escalation
  • Active Directory-based login to Mac OS X and other platforms to meet NIST regulations

Versasec vSEC:CMS

  • Versasec vSEC:CMS users can quickly authenticate using their YubiKey as a smart card in PIV mode


  • CyberArk users can use YubiKey to unlock their enterprise password vault
  • Leverage the YubiKey with privileged account security policies and controls

EgoSecure Data Protection FDE

  • EgoSecure Data Protection FDE uses the YubiKey NEO for two-factor authentication
  • Encryption and decryption of data is completely transparent to authorized authenticated users
  • For enterprise installations, can be centrally deployed and managed using the EgoSecure management console

Learn More

Get the YubiKey PIV Manager

Yubico’s self-provisioning tool that supports multiple PIV operations is available for Microsoft Windows, Mac OS X, or Linux. Download the YubiKey PIV Manager from our Downloads page.