🟣Change
Instructions on how to change your PIV PIN, PUK, and Management Keys.
Select which method you want to use to change your PINs:
Yubico's Official Software with graphical interface. | |
Enter commands using ykman.exe. | |
Application available on Windows and Linux. |
❊ Yubikey Manager
PIN
To change your PIN, open the Yubikey Manager software.
Select Configure PINs
You will see a list of buttons to manage your PIV PINs.
Your new PIN should be between 6 - 8 characters long.
PUK
Changing the PUK is similar to changing the PIN. Click the box to the right marked Use Default and then supply your new PUK.
MANAGEMENT KEY
Changing your management key is slightly different. You will first enter your current or default management key in Current Management Key field. (Or you can click Use Default on the right).
Next, you will need to provide a new management key.
On the right side, select the Algorithm to use for this management key. If you're unsure, just select TDES.
AES256 is supported ONLY if your Yubikey is running v5.4.x firmware or newer.
You can check the firmware version for your Yubikey by going to the home screen of the Yubikey Manager and looking in the top left.
Finally, click the Generate button.
Once your new key has been generated, it's recommended that you write this new Management Key down. If you generate new PIV certificates later, you will need this.
You may also select the option Protect With Pin which will allow you to use a PIN instead of typing the Management Key.
If you forget your PIN, PUK, or Management Key; you will need to Reset your entire PIV module and configure everything again. The reset button is located on the PIV home screen by clicking:
Resetting your PIV module will erase everything stored in your PIV slots. All PINs will be reset and all PIV certificates will be wiped.
❊ Command-Line (ykman)
If you wish to change your PIN, PUK, or Management Key using the ykman command-line, do the following:
PIN
To change your PIN, execute:
If you do not specify -n
or -p in your command, you will be prompted to enter each one.
Command | Description |
---|---|
-h | Show this message and exit. |
-n TEXT | A new PIN. |
-p TEXT | Current PIN code. |
PUK
To change your PUK, execute:
If you do not specify -n
or -p in your command, you will be prompted to enter each one.
Command | Description |
---|---|
-h | Show this message and exit. |
-n TEXT | A new PUK code. |
-p TEXT | Current PUK code. |
MANAGEMENT KEY
To change your Management key, select the tab below for what you wish to do. You can either have the Yubikey generate a new management key, or you can specify your own:
Command | Description |
---|---|
| Management key algorithm. [Default: |
-f | Confirm the action without prompting. |
-g | Generate a random management key. Implied by Conflicts with |
-m TEXT | Current management key. |
-n TEXT | A new management key. |
-p | Store new management key on the YubiKey, protected by PIN. A random key is used if no key is provided. |
-P TEXT | PIN code. |
-t | Require touch on YubiKey when prompted for management key. |
RESET
ALL PIV certificates you've installed will be wiped.
Command | Description |
---|---|
-h | Show this message and exit. |
-f | Confirm the action without prompting. |
❊ Kleopatra
Once the application loads, locate the Smartcards button to the right side.
Locate the Smartcard Management section and select PIV.
In the lower portion of the PIV panel, locate the Actions menu.
PIN
The following instructions explain how to change the PIV interface's PIN.
This dialog is where you enter your CURRENT PIV PIN.
default:
123456
You will then be asked to enter a NEW PIV PIN and then confirm it.
Your new PIV PIN is now saved.
PUK
These instructions explain how to change the PIV interface's PUK PIN.
This dialog is where you enter your CURRENT PIV PUK PIN.
default:
12345678
You will then be asked to enter a NEW PIV PUK PIN and then confirm it.
Your new PIV PUK PIN is now saved.
MANAGEMENT KEY
These instructions allow you to change your PIV Management Key.
Changing your management key with Kleopatra appears to be buggy. Sometimes throwing errors that the program cannot read the card. Recommended to use the Yubikey Manager or command-line.
This dialog is where you enter your CURRENT Management Key.
default: 010203040506070801020304050607080102030405060708
You will then be asked to enter a NEW PIV Management key and then confirm it.
Last updated