Using Yubico tokens
Prerequisites
Install Yubico PIV tool version 2.4.0 or higher in the default directory.
For Windows: C:\Program Files\Yubico\Yubico PIV Tool\
For macOS: /usr/local/ (User should have no option to choose)
Install YubiKey Manager version 1.2.3 or higher in the default directory.
For Windows: C:\Program Files\Yubico\YubiKey Manager\
For macOS: /Applications/YubiKey Manager.app/ (User should have no option to choose)
Install YubiKey Smart Card Minidriver version 4.6.3.252 or higher for Windows only.
You must initialize your token. Follow the instructions provided in Initialize your Yubico token.
Note
DigiCert provides third-party URLs on this page as a convenient resource for accessing required software and installation instructions. While we strive to recommend reputable third-party sources, DigiCert is not responsible for, nor can we guarantee, the content or availability of these URLs.
Initialize your Yubico token
To initialize your Yubico token, you need to set:
User PIN
User PUK
Management Key → This needs to be additionally protected by User PIN.
On Yubi Manager while setting Management Key and user needs to select the Protect with PIN checkbox.
Latest Yubico tokens might give you an option to select Algorithm while you Set/Change your Management Key. Select Algorithm as TDES and proceed.
Note
For certificates enrolled on Yubico tokens, if your application is not displaying these certificates, try removing and reinserting the token.
Restrictions
Yubico tokens cannot import Certificate Authorities (CA) because each slot is limited to storing one certificate.
When a certificate is deleted from DigiCert® Trust Assistant, the private key associated with the certificate will not be removed from the token. The same restriction applies when using YubiKey Manager.
When the Yubico token is used by the operating system or other third-party applications, it may lose connection with DigiCert® Trust Assistant. Refer to the troubleshooting steps in the next section to resolve the issue.
Troubleshooting
Unable to log into Yubico token from DigiCert Trust Assistant
Try the following:
Refresh tokens from Dashboard and log into Yubico token.
Replug the token and log into Yubico token.
Relaunch the application.
Unable to view certificates on DigiCert Trust Assistant
Try the following:
Refresh tokens from Dashboard.
Replug the token.
Relaunch the application.
Unable to synchronize the certificate to the Windows Certificate Store
First, try replugging the token.
If this does not work, confirm the following:
Open Device Manager on Windows and make sure the smart card with name Yubikey Smart Card Minidriver is listed under Smart cards. If not listed, try rebooting your system.
Reset CHUID (Card Holder Unique Identifier) for Yubikey by using the following command:
yubico-piv-tool -averify-pin -P<PIN> -aset-chuid
Refer to YubiKey PIV introduction.
Verify that the PIN tries left value is not negative. Use the following command to verify it. Try step 2 if the result is negative.
yubico-piv-tool -astatus
C:\Program Files\Yubico\Yubico PIV Tool\bin>yubico-piv-tool.exe -astatus Version: 5.4.3 Serial Number: 25308431 CHUID: ******************************************************** CCC: No data available PIN tries left: -1
After completing steps 1-3, check the DigiCert® Trust Assistant notification panel for a Rerun Certificate Synchronization action.
If the action is available, trigger it to perform the synchronization.
If the notification is not listed, try unplugging and replugging the token.
Note
The Rerun Certificate Synchronization notification is available only from version 1.2.1.