Before starting to use the PIV functionality of a YubiKey, it is important tochange the PIN, PUK and Management keys from their default values. SeeAdmin access for details on what theseunlock. For typical usage, you will want to memorize the PIN, and keep a copyof the PUK and Management keys in a secure location.
Prerequisites
a PIV enabled YubiKey
YubiKey Manager or YubiKey Manager CLI installed
Using YubiKey Manager for device setup
YubiKey Manager allows you to change the PIN, PUK and Management Key.
Applications > PIV > Configure PINs
The Management Key can be protected with the PIN, meaning that it’s saved onthe device in a location only readable with the PIN. This lets the user access thekey management features while only having to remember the PIN.
The CLI can also be used for device setup.
ykman piv change-pinykman piv change-pukykman piv change-management-key
It also allows you to generate a random management key and store it on the device,protected with the PIN.
ykman piv change-management-key --generate --protect
Recovering from a blocked PIN
If the wrong PIN is entered 3 times consecutively, the PIN will become blocked.Once blocked, the PIN cannot be used. To recover from this state you canprovide the PUK to set a new PIN, which will then not be blocked.
With YubiKey Manager this can be done by pressing the Unblock PIN
button foundunder Configure PINs
, or with the CLI.
ykman piv unblock-pin
Recovering from a lost Management Key
If you’ve lost your Management Key the only way to recover is to completelyreset the PIV functionality, which will erase any keys or certificates storedon the device and set the default PIN, PUK and Management Key. This will onlyaffect the PIV portion of your YubiKey, so any non-PIV configuration willremain intact.
With YubiKey Manager this is done by pressing the Reset PIV
button in the GUI,or with the CLI.
ykman piv reset