It’s alive

It works, I can’t believe it. I have had this idea since December 2022 and now it is no longer an idea, its a thing. I have started to write a Powershell module that works with Yubikeys. My immediate need was to manage the PIV part of the Yubikey, so that is what works right now. With FIDO and updating PIV to support Yubikey 5.7 next. Side note: I bought two Yubikey 5 FIPS Series keys when they released 5.7, but I then understood that it was just Yubikey 5 Series that was updated, whups. Time to order new Yubikeys. Since the year is 2024, I have atleast for now to support only Powershell 7.

Getting / starting the module:

Install the module from the powershell gallery. I have uploaded it and the files should be signed, so you might get a warning about an untrusted publisher if run from a network share.

A simple setup of a Yubikey PIV

Configuring the Yubikey for the first time.

We will set a new PIN, PUK and set the amount of retries possible. We will also create a new ECC key, together with a CSR with a builtin attestation After signing I imported the new key.

Basic setup

What does it look like

Now we can verify that we have a certificate installed

Verification

The commands

Typing from a picture is hard and not that fun. So here are all the commands, in all its glory.

Installing

Install-Module powershellYK
Import-Module powershellYK

Basic setup

Connect-YubikeyPIV -PIN (Read-Host -AsSecureString -Prompt "Default PIN=123456")
Set-YubikeyPIV -PinRetries 8 -PukRetries 3
$NewPin = Read-Host -AsSecureString -Prompt "NewPin/PUK"
NewPin/PUK: *******
Set-YubikeyPIV -NewPin $NewPin -PIN (ConvertTo-SecureString -String "123456" -AsPlainText -Force)
Set-YubikeyPIV -NewPUK $NewPin -PUK (ConvertTo-SecureString -String "12345678" -AsPlainText -Force)

New-YubikeyPIVKey -Slot 0x9a -Algorithm EccP256 -PinPolicy Once -TouchPolicy Cached
New-YubikeyPIVSelfSign -Slot 0x9a -Subjectname "cn=My Signed 0x9a"

Showing the output

PS C:\> connect-YubikeyPIV -PIN (Read-Host -AsSecureString -Prompt "Default PIN=123456")
Default PIN=123456: *******
PS C:\> Get-YubikeyPIV -Slot 0x9a

Slot        : 0x9A
KeyStatus   : Generated
Algorithm   : EccP256
PinPolicy   : Once
TouchPolicy : Cached
Subjectname : CN=My Signed 0x9a
Issuer      : CN=My Signed 0x9a
NotBefore   : 2024-06-13 21:02:10
NotAfter    : 2034-06-13 21:02:10

PS C:\>