More than 1 (pair of) PIV slot(s)

Showstopper for me buying Nitrokeys is that they only have 1 fully functional slot for all PIV related operations.

I need to be able to store more than just one set for PGP / x509 signing operations.

Yubikeys for instance have the main slot and on top 20(?) further slots they label “for retired keys” but can be used (almost) the same way as the main one.

From my understanding this should be either
a) very simple to implement, as it’s just existing code addressing different slots
b) impossible, due to hardware limitations

Any such thing in the pipeline?

Do they? Could you point me to some documentation please?

Afaik a piv module can store only 4 certs because it’s purpose is for end user entities.
If you like to implement things like a pki then consider using i.e. the Nitrokey HSM which offers 100 key slots iirc but don’t offer piv or pgp Smartcard.

Im also still in my personal research phase but the HSM works well for a pki and setting up a x509 ca.

Do they? Could you point me to some documentation please?

Yes, they do (“almost”, though, due to some limitations).
I’m having several unrelated x509 CAs in those slots I use for signing.

Quotes from docs1:

  • “A PIV-enabled YubiKey NEO holds 4 distinct slots for certificates and a YubiKey 4 & 5 holds 24, as specified in the PIV standards document. Each of these slots is capable of holding an X.509 certificate, together with its accompanying private key. Technically these four slots are very similar, but they are used for different purposes.”
  • " Slot 82-95: Retired Key Management: These slots are only available on the YubiKey 4 & 5. They are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails. In the YubiKey 4 & 5 all 20 of them are fully available for use."

But that’s the general doc for the piv module. I like to know how to use certs in the retired slots. And how to use piv slots to implement a ca. I do only know the use case of generate a key on the pic, create a CSR and import the EE cert back to piv. And maybe generate an attestation cert in addition.

Ah ok so yubikey does not implement the limitation that these should only be used to decrypt but make all operations available.

Correct, and to my understanding they’re still compliant with the standard, as for retired slots this limitation does not strictly apply to be implemented. But that’s to be taken with a grain of salted, as from faded memories only.


Retired keys are a standard feature for PIV and the current implementation follows the standard, which specifies how to use retired keys as well as how to store and read retired certificates. On the other hand the standard does not specify how to generate a retired key, or how to move an existing key to a retired slot. In a way this makes sense, there is no reason create a key that is already retired when it’s generated. The only way to do so would be to support importing keys into retired slots, which is not a standard operation, and not (yet) supported by our implementation.

It appears that yubikeys enable generating retired keys with GENERATE ASYMMETRIC KEYPAIR, even though according to the standard that command is only available for the 4 asymmetric keys (and the secure messaging key, not supported by the Nitrokey 3).

We will be considering ways to make the retired slots actually useful.

1 Like

Thank you for the detailed response.

For actually using those slots as “retired” I can see why on-nitrokey generated keys need to be moved around.
Personally, however (and I think I’m not the minority here), I’m “only” interested in importing keys into respective slots, which should involve less effort than moving around on-hardware generated keys.

Is there any news / roadmap on this?