Body
YubiKey can be used as a smart card for Windows authentication with the PIV Interface. This is managed with the YubiKey Manager. This application needs to be installed as Administrator, but does not need Administrator to modify the YubiKey.
Using PIV on a YubiKey requires three separate PINs that serve three different purposes.
- PIN
- The PIN is the 6-8 digit code that is used each time you want to use the smart card. (e.g. Log in to Windows)
- PUK
- The PUK is a 6-digit code that is used as an unlock code if there are too many failed attempts at using the PIN.
- Management Key
- The Management Key is a 48 hexadecimal character code that is used to modify the PIV system on the YubiKey such as generating extremely secure key pairs. These are not normally used, so we recommend leaving the Management Key set to the default.
When setting up the YubiKey for the first time, you will need to memorize your PIN and store your PUK (Ideally in a password manager such as 1Password).
This process will create a credential that allows complete access to a named user account. Failure to complete actions highlighted in RED will put this account in danger.
1. Open YubiKey Manager and navigate to Applications -> PIV.
2. Select Configure PINs.
3. Select Change PIN.
4. Check Use Default, set New PIN twice, Click Change PIN.
5. Select Change PUK from the Configure PINs screen. Check Use Default, set New PUK twice, Click Change PUK.
6. On the Windows Search bar, find and open Manage User Certificates.
7. Right click Personal, mouse over All Tasks and choose Request New Certificate.
8. Any options not shown are defaults. Choose Smart Card (2022), and click through to finish.
9. Under Personal -> Certificates, right click the newly generated certificate and mouse over All Tasks and select Export...
10. You MUST choose Yes to export the private key. Options not shown are defaults.
11. You MUST set the encryption to SHA256 and set a password for the exported file. This password is only used one time so please make it strong.
12. Select a destination to save the file and name the file. We recommend you save to the Downloads folder.
13. Go back to the User Certificates window, right click and Delete the certificate. If you do not do this, any Administrator can steal this credential.
14. Navigate back to the Yubikey Manager and go to Applications -> PIV -> Configure Certificates. Select Import.
15. After choosing the file, you will be prompted for the password that you just set when exporting the certificate. This is the only time this password is used, the file will be deleted.
16. The Management Key should be the default, check the box Use Default and select OK.
17. You should now see your previously generated certificate in the Authentication section. YOU ARE NOT DONE.
18. DELETE THE EXPORTED CERTIFICATE FILE FROM THE LOCATION YOU SAVED IT TO.
