General
Yubico
Bitwarden
GPG Tools
Donate Coffee

🟣slot_9e.cnf

Certreq config template for Yubikey's PIV 9E Slot (Card Authentication).

The template below is just an example of how you can populate slot 9E. You can populate your PIV slots with whatever you deem appropriate.

This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The following template creates a certificate for Bitlocker Encryption / EFS.

The difference between using slot 9D and 9E for encryption is that each slot has different PIN policies in place. You can manually change the pin policies for a slot if you import the PIV certificate using ykman. Currently, the Yubikey Manager does not allow PIN policies to be modified.

SLOTPIN Policy

9D

The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.

9E

The end user PIN is NOT required to perform private key operations for this slot.

CREATE FILE

C:\Program Files\Common Files\SSL\piv_name_9e.cnf

EXAMPLE CONFIG

oid_section         = yubikey_oids

[ yubikey_oids ]
nameDistinguisher   = 0.2.262.1.10.7.20
msEFSR              = 1.3.6.1.4.1.311.10.3.4.1
msEFSRecovery       = 1.3.6.1.4.1.311.21.6
driveEncryption     = 1.3.6.1.4.1.311.67.1.1
driveRecovery       = 1.3.6.1.4.1.311.67.1.2

[ req ]

default_bits        = 2048
default_keyfile     = piv_sign_9e.pem
default_md          = sha256
distinguished_name  = yubikey_dn
x509_extensions     = yubikey_ext
req_extensions      = yubikey_ext
string_mask         = MASK:0x2002
utf8                = yes
prompt              = no

[ yubikey_dn ]
0.C                 = NA
1.S                 = NA
2.L                 = NA
3.O                 = Organization
4.OU                = Organization Unit
5.CN                = Your Common Name
6.emailAddress      = email@address.com
7.GN                = Your Given Name
8.title             = Cert Title
9.description       = Description about Cert
10.initials         = ABC
11.serialNumber     = 1234

[ sans ]
DNS.0               = localhost
DNS.1               = myexampleclient.com

[ yubikey_ext ]
basicConstraints    = CA:false,pathlen:0
nsCertType          = objsign, objCA
nsComment           = "EFS/BLE 9E"
subjectAltName      = @sans
extendedKeyUsage    = critical,msEFS, msEFSR, nsSGC, msEFSRecovery, driveEncryption, driveRecovery, msSmartcardLogin
keyUsage            = critical,keyEncipherment, dataEncipherment
Previousslot_9d.cnfNextPEM Types

Last updated