Skip to main content

Using Yubico tokens

Prerequisites

  • Install Yubico PIV tool version 2.4.0 or higher in the default directory.

    • For Windows: C:\Program Files\Yubico\Yubico PIV Tool\

    • For macOS: /usr/local/ (User should have no option to choose)

  • Install YubiKey Manager version 1.2.3 or higher in the default directory.

    • For Windows: C:\Program Files\Yubico\YubiKey Manager\

    • For macOS: /Applications/YubiKey Manager.app/ (User should have no option to choose)

Note

DigiCert provides third-party URLs on this page as a convenient resource for accessing required software and installation instructions. While we strive to recommend reputable third-party sources, DigiCert is not responsible for, nor can we guarantee, the content or availability of these URLs.

Initialize your Yubico token

To initialize your Yubico token, you need to set:

  • User PIN

  • User PUK

  • Management Key → This needs to be additionally protected by User PIN.

On Yubi Manager while setting Management Key and user needs to select the Protect with PIN checkbox.

Yubico1.png

Latest Yubico tokens might give you an option to select Algorithm while you Set/Change your Management Key. Select Algorithm as TDES and proceed.

Yubico2.png

Note

For certificates enrolled on Yubico tokens, if your application is not displaying these certificates, try removing and reinserting the token.

Restrictions

  • Yubico tokens cannot import Certificate Authorities (CA) because each slot is limited to storing one certificate.

  • When a certificate is deleted from DigiCert​​®​​ Trust Assistant, the private key associated with the certificate will not be removed from the token. The same restriction applies when using YubiKey Manager.

    Yubico_Restriction.png
  • When the Yubico token is used by the operating system or other third-party applications, it may lose connection with DigiCert​​®​​ Trust Assistant. Refer to the troubleshooting steps in the next section to resolve the issue.

Troubleshooting

Unable to log into Yubico token from DigiCert Trust Assistant

Try the following:

  • Refresh tokens from Dashboard and log into Yubico token.

  • Replug the token and log into Yubico token.

  • Relaunch the application.

Unable to view certificates on DigiCert Trust Assistant

Try the following:

  • Refresh tokens from Dashboard.

  • Replug the token.

  • Relaunch the application.

Unable to synchronize the certificate to the Windows Certificate Store

First, try replugging the token.

If this does not work, confirm the following:

  1. Open Device Manager on Windows and make sure the smart card with name Yubikey Smart Card Minidriver is listed under Smart cards. If not listed, try rebooting your system.

  2. Reset CHUID (Card Holder Unique Identifier) for Yubikey by using the following command:

    yubico-piv-tool -averify-pin -P<PIN> -aset-chuid

    Refer to YubiKey PIV introduction.

  3. Verify that the PIN tries left value is not negative. Use the following command to verify it. Try step 2 if the result is negative.

    yubico-piv-tool -astatus
    C:\Program Files\Yubico\Yubico PIV Tool\bin>yubico-piv-tool.exe -astatus
    Version:        5.4.3
    Serial Number:  25308431
    CHUID:  ********************************************************
    CCC:    No data available
    PIN tries left: -1
  4. After completing steps 1-3, check the DigiCert​​®​​ Trust Assistant notification panel for a Rerun Certificate Synchronization action.

    1. If the action is available, trigger it to perform the synchronization.

    2. If the notification is not listed, try unplugging and replugging the token.

Note

The Rerun Certificate Synchronization notification is available only from version 1.2.1.