10.5 Installation and configuration for Yubico smart cards

This section provides any information required when installing the middleware for the smart cards or configuring the smart cards through either their middleware or through MyID.

10.5.1 Yubico management key

You must configure MyID to use the management key for your Yubico smart cards. In MyID, this key is known as the PIV 9B key. To configure this key, you must use the Key Manager workflow within MyID to add a factory PIV 9B Card Administration Key to the system.

YubiKey devices may also be produced with factory diversified values of the following keys:

• PIV PUK

• Configuration Lock Code

If so, you must configure the keys using the Key Manager workflow; see section 10.2.2, Setting up the PIV PUK key and section 10.2.3, Setting up the Configuration Lock Code for details.

10.5.2 Minidrivers

Yubico provides a Windows minidriver that can enable extended usage of certificates on the smart card, beyond the capabilities provided by the Windows Inbox Smart Card Minidriver. To use YubiKey devices with the minidriver, the minimum version of the minidriver is v4.1.0.172; additionally, you must issue the devices with a customer PIV 9B key.

10.5.3 Card format

Yubico smart cards have PIV features, but are not fully PIV-compliant. In the Device Profiles section of the Credential Profiles workflow, you must select one of the following from the Card Format drop-down list:

• CivCertificatesOnly.xml – This card format is used by MyID to personalize the PIV applet and set the default values on elements required by the smart card's PIV applet.

  Note: This card format is not recommended, as it requires you to have a card authentication certificate in the relevant container, and using this model may affect your use of the device; for example, the ability to reset the PIN, or to set appropriate values for the PIN policy.

• CivCertificatesOnlyCompressed.xml – As CivCertificatesOnly.xml, but using compressed data.

  Note: This card format is not recommended for YubiKey devices, as it requires you to have a card authentication certificate in the relevant container, and using this model may affect your use of the device; for example, the ability to reset the PIN, or to set appropriate values for the PIN policy.

• Yubikey.xml – This card format contains the PIV applet settings from CivCertificatesOnly.xml, and also sets up on-device PIN policy settings. See section 10.6.2, PIN policy settings for details. You can also configure device capabilities using this file; see section 10.6.12, Enabling and disabling device capabilities for details.
• YubikeyNoOTP.xml – This card format is the same as Yubikey.xml, but disables the Touch OTP feature. See section 10.6.2, PIN policy settings for details.

• YubiKeyFIPS.xml – This card format is the same as YubiKey.xml, but is restricted to being issued to YubiKey FIPS devices only.

Note: You are recommended to use a YubiKey card format for issuing YubiKey devices. Using other card formats may affect your use of the device; for example, the ability to reset the PIN, or to set appropriate values for the PIN policy.

10.5.4 Issuing smart cards that have PIV applets

For information on issuing smart cards that have PIV applets using a non-PIV MyID system, see section 2.12, Issuing smart cards that have PIV applets.