10.5 Installation and configuration for Yubico smart cards

This section provides any information required when installing the middleware for the smart cards or configuring the smart cards through either their middleware or through MyID.

10.5.1 Yubico management key

You must configure MyID to use the management key for your Yubico smart cards. In MyID, this key is known as the PIV 9B key. To configure this key, you must use the Key Manager workflow within MyID to add a factory PIV 9B Card Administration Key to the system.

YubiKey devices may also be produced with factory diversified values of the following keys:

• PIV PUK

• Configuration Lock Code

If so, you must configure the keys using the Key Manager workflow; see section 10.2.2, Setting up the PIV PUK key and section 10.2.3, Setting up the Configuration Lock Code for details.

10.5.2 Minidrivers

Yubico provide a Windows minidriver that can enable extended usage of certificates on the smart card, beyond the capabilities provided by the Windows Inbox Smart Card Minidriver. To use YubiKey devices with the minidriver, the minimum version of the minidriver is v4.1.0.172; additionally, you must issue the devices with a customer PIV 9B key.

10.5.3 Card format

Yubico smart cards have PIV features, but are not fully PIV-compliant. In the Device Profiles section of the Credential Profiles workflow, you must select one of the following from the Card Format drop-down list:

• CivCertificatesOnly.xml – This card format is used by MyID to personalize the PIV applet and set the default values on elements required by the smart card's PIV applet.
• CivCertificatesOnlyCompressed.xml – As CivCertificatesOnly.xml, but using compressed data.
• Yubikey.xml – This card format contains the PIV applet settings from CivCertificatesOnly.xml, and also sets up on-device PIN policy settings. See section 10.6.2, PIN policy settings for details. You can also configure device capabilities using this file; see section 10.6.12, Enabling and disabling device capabilities for details.
• YubikeyNoOTP.xml – This card format is the same as Yubikey.xml, but disables the Touch OTP feature. See section 10.6.2, PIN policy settings for details.

• YubiKeyFIPS.xml – This card format is the same as YubiKey.xml, but is restricted to being issued to YubiKey FIPS devices only.

This card format is used by MyID to personalize the PIV applet and set the default values on elements required by the smart card's PIV applet.

10.5.4 Issuing smart cards that have PIV applets

For information on issuing smart cards that have PIV applets using a non-PIV MyID system, see section 2.12, Issuing smart cards that have PIV applets.