Yubikey: Manual pair a PIV Yubikey with OSX

Every now and then things does not work as intended. For example: when putting a new Yubikey that has certificates, PIN and PUK installed into a slot on your Mac, a pairing dialog should appear. This does not always happen and in this case we need to do a “manual pairing”.
I will here explain how:

1. Insert the Yubikey into the Mac
2. Open a terminal
3. Run the sc_auth command below

sc_auth identities

This will output something like this:

SmartCard: com.apple.pivtoken:2B20E9654D142033695ADEC481CFD11EBA45EC00
Unpaired identities:
C28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2       Certificate For PIV Authentication (<username>)

4. Now run the following comman to start the pairing process

sudo sc_auth pair -f -u<username> -hC28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2

<username> – is the username of the identity that you want to pair with your Yubikey
“C28BE4EC86FAAC4B5EFE825947240B2CE03BA4F2” – is the Yubikey hash for the identity above (the CN of the authentication certificate)

The process will now begin with asking for the Yubikey PIN

5. If all goes well you should now see a message “Pairing Successful”

You are now ready to use your Yubikey on your Mac

Tested on OSX Catalina 10.15.4 and Yubikey firmware 4.4.5

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.