Introduction

As a tool to deploy smart cards across an environment consisting of multiple domains with multiple user identities stored on a single YubiKey, the YubiKey Smart Card Minidriver (YKMD) enables management of the YubiKey smart card functionality based on the US Federal Government Personal Identity Verification (PIV) standard (for details on this functionality, see the YubiKey Technical Manual).

Microsoft Windows supports traditional PIV smart cards for user authentication, allowing the YubiKey to be utilized as a strong authentication solution. The YubiKey Minidriver extends the support of the YubiKey on Windows from just authentication to allowing Windows to load and directly manage certificates on it. This enables an easy to use, easy to deploy, scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the YubiKey.

The YKMD allows for the use of native Windows services to enroll YubiKeys as smart cards, both directly by individual users and by administrators enrolling YubiKeys as smart cards on behalf of other users.

The YKMD is a small, lightweight driver that builds on top of the Windows Inbox Smart Card Minidriver (Windows Minidriver). On the Windows operating system, the Windows Minidriver provides basic functionality for using PIV smart cards that have already been provisioned with at least one certificate. However, the Windows Minidriver cannot be used to provision certificates or manage PINs. Unlike this and other native Microsoft tools or legacy Yubico tools, the YKMD accomplishes this by enabling Windows to write directly to the PIV module, utilize the native CertUtil command suite, and add extended functionality when using the YubiKey as a smart card. See YKMD Features.

Note

For Mac OS and Linux environments in conjunction with Windows PCs, use the YubiKey Manager / ykman instead of the YubiKey Minidriver and native Windows components.

Note

Provisioning credentials on the YubiKey using the Windows certificate enrollment dialogs (enabled by the YubkiKey Minidriver) in parallel with other tools such as the YubiKey Manager or Yubico Authenticator is not recommended. See the YubiKey Manager (ykman) CLI and GUI Guide.

This guide covers the installation of the YKMD on user PCs, as well as instructions for users enrolling YubiKeys as smart cards directly.