Woho so our friends at Yubico has released a new version of their .NET SDK. It is now on 1.11, this means support for RSA3072 and RS4096 algorithms for PIV. So it time to update my powershell module for Yubikey . The latest version is available from Powershell Galleries as usual.

New stuff (if your Yubikey is 5.7 or later)

RSA3072 & RSA4096 algorithms

We can create an RSA3072 PIV Key

New-YubikeyPIVKey -Slot "PIV Authentication" -Algorithm Rsa3072 -PinPolicy Default -TouchPolicy Default
I also added so it wont suggest algorithms your yubikey wont support.

Move a key (and if you want a certifiate between slots)

Lets you move a key instead of overwriting it or removing it.

Move-YubikeyPIV -SourceSlot "PIV Authentication" -DestinationSlot 0x9c -MigrateCertificate

Just get rid of a key

Before you needed to overwrite keys, now you can just delete it.

Remove-YubikeyPIV -Slot "PIV Authentication"


I noticed that the speed when creating larger keys is really… noticible. Below is a table of the time in seconds for creating keys. I did 20 tries per Algorithm and Yubikey version.

Version Algorithm Average Median Minimum Maximum
5.4.3 Rsa1024 1.1 1.4 3.0 22.7
5.4.3 Rsa2048 9.2 7.7 1.3 23.7
5.4.3 EccP256 0.4 0.4 0.3 0.4
5.4.3 EccP384 0.5 0.5 0.5 0.5
5.7 Rsa1024 0.7 1.1 0.4 21.4
5.7 Rsa2048 5.9 9.8 1.95 12.9
5.7 Rsa3072 29.4 26.6 6.1 66.0
5.7 Rsa4096 57.2 22.4 12.2 232.7