The yubikey-piv.py script exemplifies how to use Python to perform YubiKey configuration and issuance of a PIV credential. With regards to issuance, the script creates a Certificate Signing Request (CSR) that, if issued, allows for authentication into Entra ID (Azure AD).
In summary, the script can perform the following actions/tasks:
- Change Management Key
- Set a non-trivial(!) PIN
- Set a non-trivial(!) PUK
- Create a CSR
- Perform Attestation
- Import a certificate
You will need to meet the following prequisites to make use of this script:
- YubiKey Manager (get it here)
- One (1) YubiKey 5 series authenticator (with PIV support)
- An issuing Certificate Authority (CA) e.g a Microsoft PKI
To use the script:
- Simply open a command prompt and execute:
ykman script yubikey-piv.py - In the main menu, select an option and follow on-screen instructions.
Option 1: Configure YubiKey:
Option 2: Create a CSR:
Option 3: Validate attestation:
Option 4: Import certifcate:
Note: For more detail and broader context, please refer to swjm.blog
Possible improvements includes:
- Improve CSR to better match Microsoft domain and Entra ID requirements
You can help by getting involved in the project, or by donating (any amount!).
Donations will support costs such as domain registration and code signing (planned).
- 2024.06.04
v2.2YubiKey fw 5.7+ support - 2023.09.06
v2.0Various improvements - 2023.08.14
v1.0first release