GenerateKeyPair(Byte, PivAlgorithm, PivPinPolicy, PivTouchPolicy)
Generate a new key pair in the given slot.
public PivPublicKey GenerateKeyPair(byte slotNumber, PivAlgorithm algorithm, PivPinPolicy pinPolicy, PivTouchPolicy touchPolicy)
The slot into which the key pair will be generated.
The algorithm of the key to generate.
The PIN policy the key will have. If no argument is given, the policy
The touch policy the key will have. If no argument is given, the policy
The public key partner to the private key generated on the YubiKey.
The slot or algorithm specified is not valid for generating a key pair.
There is no
The user canceled management key collection.
Mutual authentication was performed and the YubiKey was not authenticated.
When you generate a key pair, you specify which slot will hold this new key. If there is a key in that slot already, this method will replace it. That old key will be gone and there will be nothing you can do to recover it. Hence, use this method with caution.
You also have the opportunity to specify the PIN and touch policies
of the private key generated. These policies describe what will be
required when using the key. For example, if the PIN policy is
Always, then every time the key is used (to sign, decrypt, or
perform key agreement), it will be necessary to verify the PIV PIN.
With the touch policy, for instance, setting it to
require touch every time the key is used. This method has the
policies as optional arguments. If you do not specify these
arguments, the key pair will be generated with the policies set to
Default. Currently for all YubiKeys, the default PIN
Once, and the default touch policy is
This method will return the public key partner to the private key generated in the slot. For YubiKeys before version 5.3, it is the only time you will have the opportunity to obtain the public key, so make sure your application manages it right from the start. Beginning with version 5.3, it is possible to get a public key out of a slot at any time.
Note that while this method will return the public key, you will still need to obtain a certificate for the private key outside of this SDK. Once you have the certificate, you can load it into the YubiKey using the ImportCertificate(Byte, X509Certificate2) method.
In order to perform this operation, the management key must be
authenticated during this session. If it has not been authenticated,
this method will call AuthenticateManagementKey(Boolean). That
is, your application does not need to authenticate the management key
separately (i.e., call
AuthenticateManagementKey), this method will determine if the
management key has been authenticated or not, and if not, it will
make the call to perform mutual authentication.
The authentication method will collect the management key using the
KeyCollector delegate. If no such delegate has been set, it
will throw an exception.
KeyCollector has an option to cancel the operation. That
AuthenticateManagementKey method will call the
KeyCollector requesting the management key, and it is possible
that during the collection operations, the user cancels. The
KeyCollector will return to the authentication method noting
the cancellation. In that case, it will throw an exception. If you
want the authentication to return
false on user cancellation,
you must call TryAuthenticateManagementKey(Boolean) directly
before calling this method.