vSEC:CMS for YubiKey

vSEC:CMS will change your views on how to manage the lifecycle of Yubico YubiKeys. The vSEC:CMS S-Series for YubiKey is an innovative, easily integrated and cost-effective Smart Card Management System or Credential Management System (SCMS or CMS) that are helping organizations deploy YubiKeys.

versasec media
vSEC:CMS Connectors (see figure above)
  1. 1. Smart card printer for batch operations
  2. 2. User directory for looking up users
  3. 3. File and database servers
  4. 4. Secure transport of PIN codes
  5. 5. Event & log management
  6. 6. User photo capture
  7. 7. Certificate/PKI services
  8. 8. Physical access control systems
  1. 9. Hardware security module
  2. 10. Secondary/out-of-band communication
  3. 11. Key archival & key recovery
  4. 12. Credential provider -login screen interface
  5. 13. Remote security device management
  6. 14. User self-service application
  7. 15. YubiKey or Virtual/Physical Smart Card
  8. 16. Administrative operator console

The vSEC:CMS S-Series for YubiKey is fully functional with the YubiKey PIV and it streamlines all aspects of a management system by connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers etc. With vSEC:CMS S-Series for YubiKey organizations can issue YubiKeys to employees, personalize the YubiKey with authentication credentials and manage the lifecycle of the YubiKey - directly from the off-the-shelf product.

We Manage Our YubiKeys Manually - Why Change?

Managing YubiKeys manually results in additional work and increases the possibilities of security breaches. For example, the administration key of the YubiKey will need to be stored in a file that references the user to whom it is issued. This file could be used maliciously by someone to ascertain the key value; consequently, the YubiKey could easily be reset with a new PIN by acquiring knowledge of the administration key. A CMS removes threats like these and provides many other benefits, such as full lifecycle management, a connection to the Certificate Authority, secure PIN unblock procedures, User Self Service and more.

Why Do You Need A CMS?

A CMS is required, for the following reasons::

  • To centralize YubiKey personalization, management and revocation tasks into one system
  • To reduce costs
  • To simplify installation and usage workflows
  • To enhance Security

Manage the complete Lifecycle

Manage the complete Lifecycle of the YubiKey from one simple view. Management can be delegated and granular access levels can be set. The Life Cycle

This Is How Easy It Is!

We support many different use cases and the configuration options and feature set is vast. But it’s easy to get started. The most common use case is being able to issue a YubiKey with a Windows logon certificate to a user in a secure way. Follow our guides and this can be accomplished in minutes rather than days. Once you have the initial use case configured you can build from there adding User Self Service, Remote Operators and support for other secure devices including Virtual Smart Cards.

Use Case - Windows Logon

We will guide you through the initial setup all the way to you issuing and managing the lifecycle of your YubiKeys. Follow this guide on our Support Portal: Manage PIV Smart Card Tokens
Note: The PKI used in this example use case will be an MS CA. Other PKIs are also supported.

Unblock YubiKey User PIN

We offer a unique way to increase the security of unblocking the YubiKey User PIN. This is done by encapsulating the PUC (PIN Unblock Code) in a Challenge Response Workflow.

Key Archival and Key Recovery

It is possible for a YubiKey to generate a user key on the YubiKey, which is highly secure, but it is not possible for the key to be recovered if the user misplaces the YubiKey. As a result, for encryption of certificates and keys, YubiKeys are used to store only certificates and keys generated by vSEC:CMS S-Series, so the keys can be stored securely in the vSEC:CMS S-Series database secured by the Master Key and are recoverable if needed.

Webinar and Instruction Videos

Webinar: Versasec vSEC:CMS + YubiKeys = A new PIV Smart Card Integration (7.13.16)

Reissue Certificate on YubiKey PIV Token
Central Issuance of YubiKey PIV Token
Offline PIN unblock of YubiKey PIV token
Online PIN unblock of Yubi PIV token
Issuance of Yubi PIV Token using vSEC:CMS Credential Provider
Batch Issue YubiKey Tokens Using vSEC:CMS

Free Trial - Download a Demo Today!

In this downloadable version, the hardware token that the system is normally preloaded on, is simulated by software. This way you get the same experience as using the hardware token directly on your Windows PC by just downloading and running a quick installer.


To enjoy the vSEC:CMS S-Series full feature set (including Self-Service, Virtual Smart Card, HSM support...), contact Versasec to setup a Webinar or check with your local Versasec reseller.


The vSEC:CMS S-Series for YubiKeys scales with your project. With the new load balancing capability, there is no upper limit!

versasec media

Product Sheet

Download the vSEC:CMS S-Series product sheet here.



More information about the complete vSEC:CMS product suite can be found here.


Update From 3rd Party SCMS

vSEC:CMS S-Series includes updgrade wizards that enables quick and simple upgrade paths from third party smart card management systems. Check out the details here on how to upgrade from Gemalto DAS / IDAdmin 100 and here on how to upgrade from Microsoft MIM/FIM CM.


The product can be purchased from authorized vSEC:CMS integrators and resellers, via our partners reseller network or contact Versasec directly to let us help you find the best way forward.


The vSEC:CMS video content can be found here.