Last week Yubico announced the general availability of their desktop .NET SDK for YubiKeys. I jumped over to their GitHub repo to check out what functionality the .NET SDK exposed. The good news is that the Personal Identity Verification (PIV) slots used for certificates are accessible. Fantastic news, so how could I use the SDK to get certificates from a YubiKey using PowerShell ?
Getting started instructions can be found here but I jumped straight in, cloned the SDK and built the project. That then gave me the three libraries. The key one is the Yubico.YubiKey.dll that contains all of the classes and types needed for interacting with the YubiKey. The Yubico.Core.dll is also required to discover connected YubiKeys. I imported the Yubico.YubiKey.dll and Yubic.Core.dll libraries into a new PowerShell session and started looking at the classes and deeper into the documentation. A combination of a few of the examples, the documentation and some trial and error and within a few hours I was successfully retrieving certificates from my YubiKeys.
The YubiKeys I have are the 4, 5 CI, 5 C NFC, 5 NFC, 5 NEO and Security Key. I’ve validated the ability to access and retrieve certificates from all of them except the Security Key as it doesn’t have that feature. It is a FIDO only key. The four certificate slots on YubiKeys that support PIV are labelled Authentication Certificate, Digital Signature Certificate, Key Management Certificate and Card Authentication Certificate. Using the Yubico YubiKey Manager you can see the Certificate slots and their contents.
Discover Connected YubiKeys
YubiKey’s come in different form factors. For desktop connectivity though you will have USB-A or USB-C. The libraries contain the capability to discover keys connected via any interface. I’ve created a Function named Find-YubiKeyDevices. Unlike the YubiKey Manager (as shown in the screenshot above) you can have multiple keys connected and interact with them. The screenshot below shows the output from the Find-YubiKeyDevices function. In the example below it discovered four connected YubiKeys connected with either USB-A or USB-C and each with different features. For each YubiKey you get its features such as form factor (USB-A or USB-C), firmware version etc. The key one to note is the SerialNumber. For the Get-YubiKeyDevice function below I’m using SerialNumber as the immutable identifier to return information for a single device.
Find-YubiKeyDevices
Get YubiKey Device
The Get-YubiKeyDevice function will attempt to retrieve a specific YubiKey using its SerialNumber.
Get-YubiKeyDevice -SerialNumber 15464990
Retrieve Certificates from a YubiKey using PowerShell
Now that we have discovered connected YubiKeys where we may have multiple and can retrieve a specific YubiKey, we can now retrieve certificates from it. What you need to know though is from which slot you want to retrieve a certificate from. As mentioned in the introduction there are four slots, Authentication, Digital Signature, Key Management and Card Authentication. Specify from which YubiKey and which slot and the certificate will be retrieved as a PowerShell X509Certificate2 object.
Certificate Slot to return the certificate from - Slot 9a 'Authentication' - Slot 9c 'Signature' - Slot 9d 'KeyManagement' - Slot 9e 'CardAuthentication'
Get-YubiKeyCertificate -CertSlot Authentication -SerialNumber 15464990
If you want to have the certificate returned encoded as a base64string specify the -Raw $true parameter.
Get-YubiKeyCertificate -CertSlot Authentication -SerialNumber 15464990 -Raw $true
Yubico YubiKey Certificates PowerShell Script
I’ve put the three PowerShell functions detailed in this post into a script named YubiKey.ps1. I have compiled the SDK to obtain the two DLLs that provide the interfaces required. The YubiKey.ps1 script loads those two DLLs.
NOTE: The script requires PowerShell 7.x
Download the YubiKey.ps1, Yubico.YubiKey.dll and Yubico.Core.dll from my GitHub YubiKey repository shown further below and keep them all together in the same directory. Import the functions (and the DLLs) by running the YubiKey.ps1 using the dot prefix.
. .\YubiKey.ps1
YubiKey GitHub Repository
GitHub – darrenjrobinson/YubiKey: Discovering Yubico YubiKeys and retrieving certificates using PowerShell
PowerShell functions to discover Yubico YubiKeys and obtain certificates from certificate slots. Utilises the Yubico desktop .NET SDK Contains v4.0.30319 of the compiled libraries. Associated Blogpost Works with PowerShell (6.x, 7.x).
Summary
Using the Yubico Desktop SDK we can discover connected YubiKeys and retrieve certificates from a YubiKey using PowerShell.