PIV — smart-card certificates & keys

What it is

PIV (Personal Identity Verification, NIST SP 800-73-4) began as a US-government employee-credential standard and is now widely supported on general-purpose security keys. It stores certificates and private keys in numbered slots, each with an intended purpose, and performs signing/auth with them on-device — gated by a PIN, with the slots' use governed by a management key.

The common key slots

9A — PIV Authentication. Login / network auth (and a popular choice for SSH).
9C — Digital Signature. Signing documents and email; typically requires a PIN per use.
9D — Key Management. Encryption / key exchange.
9E — Card Authentication. Often used without a PIN, e.g. physical-access scenarios.

PIN & PUK

PIV has a user PIN plus a PUK that can reset a blocked PIN. Exhaust both retry counters and the card must be reset, erasing its keys and certs. See resetting →

The management key

Separate from the PIN, a third credential — the management key — gates administrative changes: generating keys, importing certificates, and changing retry counts. Cards ship with a well-known factory default (010203…0708, repeated to fill the key), so anyone can administer a fresh card. If you rely on PIV day-to-day, change it — keyroost can rotate it to a random value you keep somewhere safe (a password manager). Lose a changed key and no admin changes are possible until a full applet reset.

What keyroost does with PIV

k

Full management. Status (version, serial, PIN retries, slot contents) needs no PIN. Beyond that, keyroost generates keys on the card (RSA 1024–4096, ECC P-256/P-384, Ed25519), creates a self-signed certificate in the slot or a certificate request (CSR) for a certificate authority — signed by the card itself, the private key never leaves it — imports and exports certificates, changes the PIN, PUK, retry counts and management key, and resets the applet. The same controls are in the desktop app's PIV pane.

keyroostctl piv status
keyroostctl piv generate-key --slot 9a --algorithm eccp256 --mgmt-key-stdin
keyroostctl piv self-sign --slot 9a --subject "CN=Alice" --days 365 \
    --pin-stdin --mgmt-key-stdin
keyroostctl piv request-cert --slot 9a --subject "CN=Alice,O=Example" \
    --pin-stdin --file request.csr

Authoritative resources

NISTSP 800-73-4 — PIV card interfaces NISTFIPS 201-3 — PIV of federal employees YubicoPIV technical documentation