PIV (Personal Identity Verification) is defined by the US federal government FIPS 201 standard. PIV can store keys and certificates for signing and encryption, enabling functions such as digital signatures and file encryption.
Starting from CanoKey Canary, the following extended algorithms are also supported:
Algorithm Name | Algorithm ID |
---|---|
RSA3072 | 05 |
RSA4096 | 16 |
secp256k1 | 53 |
Ed25519 | E0 |
X25519 | E1 |
SM2 | 54 |
CanoKey firmware version 3.0.0 only supports signing 32-byte data using the Ed25519 algorithm and only supports using internally generated X25519 keys.
010203040506070801020304050607080102030405060708
CanoKey supports the following key slots:
Starting from firmware version 2.0.0, CanoKey also supports the following key slots:
Starting from firmware version 2.0.0, CanoKey supports configuring PIV PIN and touch policies.
Key Slot | Default PIN Policy | Default Touch Policy |
---|---|---|
9E | Never | Never |
Others | Once | Never |
Starting from firmware version 2.0.0, CanoKey supports viewing PIV metadata.
As PIV is typically issued by system administrators and used by regular users, please review the documentation to understand the following content before proceeding.
It is recommended to use yubico-piv-tool for related operations.
If the key and certificate are in two separate files, they need to be imported separately.
Importing the private key:
yubico-piv-tool -r canokey -a import-key -s 9a -i private-key.pem
Importing the certificate:
yubico-piv-tool -r canokey -a import-certificate -s 9a -i certificate.pem
Here, -s 9a
indicates using the 9A key slot, which can be changed as needed.
To import a PKCS#12 file (.p12 or .pfx) containing both the private key and certificate, execute:
yubico-piv-tool -r canokey -a import-key -a import-certificate -K PKCS12 -s 9a -i certificate.p12
Generate a new private key and self-sign it:
yubico-piv-tool -r canokey -a generate -s 9a -A RSA2048 -o public-key.pem
yubico-piv-tool -r canokey -a verify-pin -a selfsign -s 9a -S "/CN=Test Certificate" -i public-key.pem -o certificate.pem
yubico-piv-tool -r canokey -a import-certificate -s 9a -i certificate.pem
Since Windows caches certificate information based on CHUID, you need to update the CHUID after certificate import on Windows:
yubico-piv-tool -r canokey -a set-chuid