PIV certificate slots

A PIV-enabled YubiKey NEO holds 4 distinct slots for certificates and a YubiKey 4 & 5 holds 24, as specified in the PIV standards document. Each of these slots is capable of holding an X.509 certificate, together with its accompanying private key. Technically these four slots are very similar, but they are used for different purposes.

Note
The PIN policy for these slots described here are based on the PIV standard. They can be changed on the YubiKey 4 & 5. Applications which support generic backends such as PKCS#11 are unlikely to take differing PIN requirements between slots into consideration, and may prompt for a PIN even if the YubiKey does not require one.

Slot 9a: PIV Authentication

This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.

Slot 9c: Digital Signature

This certificate and its associated private key is used for digital signatures for the purpose of document signing, or signing files and executables. The end user PIN is required to perform any private key operations. The PIN must be submitted every time immediately before a sign operation, to ensure cardholder participation for every digital signature generated.

Slot 9d: Key Management

This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for things like encrypting e-mails or files. The end user PIN is required to perform any private key operations. Once the PIN has been provided successfully, multiple private key operations may be performed without additional cardholder consent.

Slot 9e: Card Authentication

This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.

Slot 82-95: Retired Key Management

These slots are only available on the YubiKey 4 & 5. They are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails. In the YubiKey 4 & 5 all 20 of them are fully available for use.

Slot f9: Attestation

This slot is only available on YubiKey version 4.3 and newer. It is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.