🟣slot_9d.cnf

OpenSSL config template for Yubikey's PIV 9D Slot (Key Management).

The template below is just an example of how you can populate slot 9D. You can populate your PIV slots with whatever you deem appropriate.

This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting e-mails or files. The following template can be used for encryption such as EFS / Bitlocker.

The difference between using slot 9D and 9E for encryption is that each slot has different PIN policies in place. You can manually change the pin policies for a slot if you import the PIV certificate using ykman. Currently, the Yubikey Manager does not allow PIN policies to be modified.

SLOT	PIN Policy
9D	The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.
9E	The end user PIN is NOT required to perform private key operations for this slot.

CREATE FILE

C:\Program Files\Common Files\SSL\piv_name_9d.cnf

EXAMPLE CONFIG

oid_section         = yubikey_oids

[ yubikey_oids ]
nameDistinguisher   = 0.2.262.1.10.7.20
msEFSR              = 1.3.6.1.4.1.311.10.3.4.1
msEFSRecovery       = 1.3.6.1.4.1.311.21.6
driveEncryption     = 1.3.6.1.4.1.311.67.1.1
driveRecovery       = 1.3.6.1.4.1.311.67.1.2
rda                 = 1.3.6.1.4.1.311.54.1.2
gpgUsageCert        = 1.3.6.1.4.1.11591.2.6.1
gpgUsageSign        = 1.3.6.1.4.1.11591.2.6.2
gpgUsageEncr        = 1.3.6.1.4.1.11591.2.6.3
gpgUsageAuth        = 1.3.6.1.4.1.11591.2.6.4
msAuthenticode      = 1.3.6.1.4.1.311.2

[ req ]
default_bits        = 2048
default_keyfile     = piv_sign_9d.pem
default_md          = sha256
distinguished_name  = yubikey_dn
x509_extensions     = yubikey_ext
req_extensions      = yubikey_ext
string_mask         = MASK:0x2002
utf8                = yes
prompt              = no

[ yubikey_dn ]
0.C                 = NA
1.S                 = NA
2.L                 = NA
3.O                 = Organization
4.OU                = Organization Unit
5.CN                = Your Common Name
6.emailAddress      = email@address.com
7.GN                = Your Given Name
8.title             = Cert Title
9.description       = Description about Cert
10.initials         = ABC
11.serialNumber     = 1234

[ sans ]
DNS.0               = localhost
DNS.1               = myexampleclient.com

[ yubikey_ext ]
basicConstraints    = CA:false,pathlen:0
nsCertType          = objsign, objCA
nsComment           = "PIV Authentication 9D"
subjectAltName      = @sans
extendedKeyUsage    = critical,serverAuth, clientAuth, emailProtection, msSGC, msEFS, msEFSR, nsSGC, msEFSRecovery, driveEncryption, driveRecovery, msSmartcardLogin, secureShellClient, secureShellServer, rda, gpgUsageCert, gpgUsageSign, gpgUsageEncr, gpgUsageAuth, msAuthenticode
keyUsage            = critical,nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement