🟣Change
Instructions on how to change your PIV PIN, PUK, and Management Keys.
Select which method you want to use to change your PINs:
Yubico's Official Software with graphical interface.
Enter commands using ykman.exe.
Application available on Windows and Linux.
❊ Yubikey Manager

PIN
To change your PIN, open the Yubikey Manager software.

Select Configure PINs

You will see a list of buttons to manage your PIV PINs.
In order to do this, you will need to have the Default Pins. However, there is a nice checkbox to the right which allows you to automatically supply the Default PIN.

Your new PIN should be between 6 - 8 characters long.
Once you have typed a new PIN, click
PUK
Changing the PUK is similar to changing the PIN. Click the box to the right marked Use Default and then supply your new PUK.
MANAGEMENT KEY
To change your Management key, return to the PIV home screen, and select

Changing your management key is slightly different. You will first enter your current or default management key in Current Management Key field. (Or you can click Use Default on the right).
Next, you will need to provide a new management key.
On the right side, select the Algorithm to use for this management key. If you're unsure, just select TDES.
AES256 is supported ONLY if your Yubikey is running v5.4.x firmware or newer.
Finally, click the Generate button.
Once your new key has been generated, it's recommended that you write this new Management Key down. If you generate new PIV certificates later, you will need this.
You may also select the option Protect With Pin which will allow you to use a PIN instead of typing the Management Key.
If you forget your PIN, PUK, or Management Key; you will need to Reset your entire PIV module and configure everything again. The reset button is located on the PIV home screen by clicking:

Resetting your PIV module will erase everything stored in your PIV slots. All PINs will be reset and all PIV certificates will be wiped.
❊ Command-Line (ykman)

If you wish to change your PIN, PUK, or Management Key using the ykman command-line, do the following:
PIN
To change your PIN, execute:
If you do not specify -n
or -p in your command, you will be prompted to enter each one.
ykman piv access change-pin
-h
Show this message and exit.
-n TEXT
A new PIN.
-p TEXT
Current PIN code.
PUK
To change your PUK, execute:
If you do not specify -n
or -p in your command, you will be prompted to enter each one.
ykman piv access change-puk
-h
Show this message and exit.
-n TEXT
A new PUK code.
-p TEXT
Current PUK code.
MANAGEMENT KEY
To change your Management key, select the tab below for what you wish to do. You can either have the Yubikey generate a new management key, or you can specify your own:
ykman piv access change-management-key -g -p
-a
[TDES|AES128|AES192|AES256]
Management key algorithm.
[Default: TDES
]
-f
Confirm the action without prompting.
-g
Generate a random management key.
Implied by --protect
unless--new-management-key
is also given.
Conflicts with --new-management-key
.
-m TEXT
Current management key.
-n TEXT
A new management key.
-p
Store new management key on the YubiKey, protected by PIN. A random key is used if no key is provided.
-P TEXT
PIN code.
-t
Require touch on YubiKey when prompted for management key.
RESET
This will completely RESET your PIV module. Your PIN, PUK, and Management Keys will all be set back to default.
ALL PIV certificates you've installed will be wiped.
ykman piv reset
-h
Show this message and exit.
-f
Confirm the action without prompting.
❊ Kleopatra

Ensure you have the Gpg tools installed on your system. Click and search for Kleopatra.

Once the application loads, locate the Smartcards button to the right side.

Locate the Smartcard Management section and select PIV.

In the lower portion of the PIV panel, locate the Actions menu.

PIN
The following instructions explain how to change the PIV interface's PIN.
Select

This dialog is where you enter your CURRENT PIV PIN.
default:
123456


You will then be asked to enter a NEW PIV PIN and then confirm it.

Your new PIV PIN is now saved.
PUK
These instructions explain how to change the PIV interface's PUK PIN.
Select

This dialog is where you enter your CURRENT PIV PUK PIN.
default:
12345678


You will then be asked to enter a NEW PIV PUK PIN and then confirm it.

Your new PIV PUK PIN is now saved.
MANAGEMENT KEY
These instructions allow you to change your PIV Management Key.
Select

This dialog is where you enter your CURRENT Management Key.
default: 010203040506070801020304050607080102030405060708

You will then be asked to enter a NEW PIV Management key and then confirm it.
Last updated
Was this helpful?