VMware Workspace ONE® PIV-D Manager works with YubiKey. The PIV-D Manager mobile app can sign PDF documents on a mobile device with credentials from a YubiKey accessory.

You can register your YubiKey accessory for use with the PIV-D Manager app on your device by following these instructions.

Prerequisites

Before you begin, you need the following.

  • Enrolled device.

    Enrol the Workspace ONE Intelligent Hub and PIV-D Manager apps in the usual way, or by following instructions from your enterprise administrator.

  • Accessory with installed credentials.

    Your enterprise administrator may issue you with an accessory on which a suitable credential has already been installed, or may provide you with enrollment instructions, for example. Otherwise, you can install an electronic certificate yourself.

    To install a certificate yourself, you will need the following.

    - Suitable management software, for example downloaded from the Yubico website.

    - Accessory management keys. YubiKey accessories come configured with default keys. Those can be used unless the accessory has been reconfigured.

    - Electronic certificate. The certificate must have the key usages: Digital Signature and Non-Repudiation.

The PIV-D Manager app can be used to check that the certificate is suitable for PDF signing. This is covered in the first set of instructions, How to register an accessory.

Procedure

  1. Register your Yubikey Accessory
    1. Open the PIV-D app. Opening the app might require you to enter a passcode or authenticate in some other way.
    2. Open the product selection screen. The first screen shown by PIV-D could be the product selection screen.
    3. Choose Product: Yubikey
    4. Follow the on-screen instructions for connecting the accessory, either by USB or NFC. PIV-D only accesses the public details of the certificate at this stage and you won’t need to enter the accessory PIN.When the accessory has been accessed, the Certificates screen opens in the PIV-D app. The certificate from the accessory should be listed there.
      Be careful not to trigger Yubico OTP (One-Time Passcode) entry. This may cause the browser app to open. If that happens, return to the PIV-D app and try holding the accessory in a different way, to avoid triggering the OTP.
    5. Tap the certificate name and check the attributes are as required. The Subject must show the common name (CN) that you want to appear on signed documents. The Key Usage line must show both Digital Signature and Non-Repudiation.
      If any attributes aren’t as required, then a different certificate must be loaded on the accessory. Return to your administrator or generate and install an amended certificate of your own.
  2. Signing a document with a Yubikey accessory
    1. Ensure your Yupikey device is registered
    2. Share a signable PDF file with PIV-D
    3. Tap the sign button and confirm if prompted.
    4. Follow the on-screen instructions for connecting the accessory, either by USB or NFC. PIV-D accesses the private key of the certificate at this stage and you are prompted to enter the accessory PIN.
      Be careful not to trigger Yubico OTP (One-Time Passcode) entry. This may cause the browser app to open. If that happens, return to the PIV-D app and try holding the accessory in a different way, to avoid triggering the OTP.
    5. Ensure the signature is filled out correctly