The yubikey-piv.py script exemplifies how to use Python to perform YubiKey configuration and issuance of a PIV credential. With regards to issuance, the script creates a Certificate Signing Request (CSR) that, if issued, allows for authentication into Entra ID (Azure AD).
In summary, the script can perfor the following actions/tasks:
- Change Management Key
- Set a non-trivial(!) PIN
- Set a non-trivial(!) PUK
- Create a CSR
- Perform Attestation
- Import a certificate
You will need to meet the following prequisites to make use of this script:
- YubiKey Manager (get it here)
- One (1) YubiKey 5 series authenticator (with PIV support)
- An issuing Certificate Authority (CA) e.g a Microsoft PKI
To use the script:
- Simply open a command prompt and execute:
ykman script yubikey-piv.py
- In the main menu, select an option and follow on-screen instructions.
Option 1
: Configure YubiKey:
Option 2
: Create a CSR:
Option 3
: Validate attestation:
Option 4
: Import certifcate:
Note: For more detail and broader context, please refer to swjm.blog
Possible improvements includes:
- Improve CSR to better match Microsoft domain and Entra ID requirements
Any help on the above (see roadmap) is welcome.
- 2023.09.06
v2.0
Various improvements - 2023.08.14
v1.0
first release