The yubikey-piv.py script exemplifies how to use Python to perform YubiKey configuration and issuance of a PIV credential. With regards to issuance, the script creates a Certificate Signing Request (CSR) that, if issued, allows for authentication into Entra ID (Azure AD).

In summary, the script can perfor the following actions/tasks:

• Change Management Key
• Set a non-trivial(!) PIN
• Set a non-trivial(!) PUK
• Create a CSR
• Perform Attestation
• Import a certificate

⚠️ This script is provided "as-is" without any warranty of any kind, either expressed or implied.

You will need to meet the following prequisites to make use of this script:

• YubiKey Manager (get it here)
• One (1) YubiKey 5 series authenticator (with PIV support)
• An issuing Certificate Authority (CA) e.g a Microsoft PKI

To use the script:

1. Simply open a command prompt and execute: ykman script yubikey-piv.py
2. In the main menu, select an option and follow on-screen instructions.

Option 1: Configure YubiKey:

Option 2: Create a CSR:

Option 3: Validate attestation:

Option 4: Import certifcate:

Note: For more detail and broader context, please refer to swjm.blog

Possible improvements includes:

• Improve CSR to better match Microsoft domain and Entra ID requirements

Any help on the above (see roadmap) is welcome.

• 2024.06.04 v2.2 YubiKey fw 5.7+ support
• 2023.09.06 v2.0 Various improvements
• 2023.08.14 v1.0 first release