vSEC:CMS for YubiKey

vSEC:CMS will change your views on how to manage the lifecycle of Yubico YubiKeys. The vSEC:CMS for YubiKey is an innovative, easily integrated and cost-effective Smart Card Management System or Credential Management System (SCMS or CMS) that are helping organizations deploy YubiKeys.

Versasec has a chat service that is generally available during business hours (Asian, European and American). We are looking forward to hearing from you. To start the chat, click the button below.

vSEC:CMS Connectors (see figure above)

1. Smart card printer for batch operations
2. User directory for looking up users
3. File and database servers
4. Secure transport of PIN codes
5. Event & log management
6. User photo capture
7. Certificate/PKI services
8. Physical access control systems
9. Hardware security module
10. Secondary/out-of-band communication
11. Key archival & key recovery
12. Credential provider -login screen interface
13. Remote security device management
14. Physical & virtual smart cards/tokens
15. User self-service application
16. Administrative operator console

vSEC:CMS for YubiKey is fully functional with the YubiKey PIV and it streamlines all aspects of a management system by connecting to enterprise directories, certificate authorities, physical access control systems, email servers, log servers, biometric fingerprint readers, PIN mailers etc. With vSEC:CMS for YubiKey organizations can issue YubiKeys to employees, personalize the YubiKey with authentication credentials and manage the lifecycle of the YubiKey – directly from the off-the-shelf product.

We Manage Our YubiKeys Manually – Why Change?

Managing YubiKeys manually results in additional work and increases the possibilities of security breaches. For example, the administration key of the YubiKey will need to be stored in a file that references the user to whom it is issued. This file could be used maliciously by someone to ascertain the key value; consequently, the YubiKey could easily be reset with a new PIN by acquiring knowledge of the administration key. A CMS removes threats like these and provides many other benefits, such as full lifecycle management, a connection to the Certificate Authority, secure PIN unblock procedures, User Self Service and more.

Why Do You Need A CMS?

A CMS is required, for the following reasons::

  • To centralize YubiKey personalization, management and revocation tasks into one system
  • To reduce costs
  • To simplify installation and usage workflows
  • To enhance Security

Manage the complete Lifecycle

Manage the complete Lifecycle of the YubiKey from one simple view. Management can be delegated and granular access levels can be set. The Life Cycle

This Is How Easy It Is!

We support many different use cases and the configuration options and feature set is vast. But it’s easy to get started. The most common use case is being able to issue a YubiKey with a Windows logon certificate to a user in a secure way. Follow our guides and this can be accomplished in minutes rather than days. Once you have the initial use case configured you can build from there adding User Self Service, Remote Operators and support for other secure devices including Virtual Smart Cards.

Use Case – Windows Logon

We will guide you through the initial setup all the way to you issuing and managing the lifecycle of your YubiKeys. Follow this guide on our Support Portal: Manage PIV Smart Card Tokens
Note: The PKI used in this example use case will be an MS CA. Other PKIs are also supported.

Unblock YubiKey User PIN

We offer a unique way to increase the security of unblocking the YubiKey User PIN. This is done by encapsulating the PUC (PIN Unblock Code) in a Challenge Response Workflow.

Key Archival and Key Recovery

It is possible for a YubiKey to generate a user key on the YubiKey, which is highly secure, but it is not possible for the key to be recovered if the user misplaces the YubiKey. As a result, for encryption of certificates and keys, YubiKeys are used to store only certificates and keys generated by vSEC:CMS, so the keys can be stored securely in the vSEC:CMS database secured by the Master Key and are recoverable if needed.

Webinar and Instruction Videos

Webinar: Versasec vSEC:CMS + YubiKeys = A new PIV Smart Card Integration (7.13.16)

Reissue Certificate on YubiKey PIV Token
Central Issuance of YubiKey PIV Token
Offline PIN unblock of YubiKey PIV token
Online PIN unblock of Yubi PIV token
Issuance of Yubi PIV Token using vSEC:CMS Credential Provider
Batch Issue YubiKey Tokens Using vSEC:CMS

Product News

vSEC:CMS Version 6.8 is now available. The new version incorporates a variety of enhancements, updates and automated tasks, including the following:

  • Adding Thales SafeNet Trusted Access (STA) as a supported identity provider. Enabling customers to efficiently manage their users’ FIDO credentials in STA identity platform as an integrated part of their credential orchestration. 
  • Looking to deploy FIDO with no need for certificates? Now you can get full enterprise management of lower cost with our added support for management of FIDO only credentials.
  • Introducing our first supported FIDO-only (no PKI) credential: Thales SafeNet eToken FIDO.
  • Manage phishing-resistant FIDO2 & PKI Thales SafeNet eToken Fusion CC authenticators.
  • Introducing credentials supported by Giesecke+Devrient, StarSign series. 
  • Say hello to our REST API – Adding to our existing line of APIs to bring more options for integrating and automating your credentials lifecycle.
  • Simplifying identity enterprise management for our customers in Europe and the Middle East, adding certificate authority integration: EverTrust Horizon.
  • Added tools to ease the task of getting prepared for the full enforcement of Microsoft KB5014754. We offer both a method for user self-service certificate renewal and an export for strong certificate mapping.
  • Thales and Versasec collaborated on bringing IDPV virtual smart card orchestration. We introduced RFID user identification for loading each users IDPV virtual smart card. Workplaces with shared workstations will greatly benefit from “Tap, PIN, Go” user experience and increased security through PKI authentication!

Evaluation – Download Today!

Register and download vSEC:CMS directly from versasec.com here.

Once downloaded and installed vSEC:CMS is ready for use in Evaluation Mode. During the evaluation, you can configure your environment with up to 5 licenses and your own use cases. Each license manages one credential. Additional licenses can be acquired as a subscription or by perpetual license. Please contact a Versasec reseller or Versasec directly to proceed.


The vSEC:CMS scales with your project. With the new load balancing capability, there is no upper limit!


Product Sheet

Download the vSEC:CMS product sheet here.



More information about the complete vSEC:CMS product suite can be found here.


Migrate to vSEC:CMS

vSEC:CMS includes upgrade wizards that enables quick and simple upgrade paths from third party credential management systems.

Versasec is an IAM provider that helps businesses manage their access-enabling devices.

Check out the details on how to upgrade from:


The product can be purchased from authorized vSEC:CMS integrators and resellers, via our partners reseller network or contact Versasec directly to let us help you find the best way forward.


The vSEC:CMS video content can be found here.



Supported* Credentials


Aventra MyEID 4.5

Avtor CryptoCard 337

Atos CardOS v4.4

Atos CardOS v5.3

Cryptovision SCinterface

Feitian ePass FIDO-NFC K9Plus/K40Plus

Feitian eJava Token

Feitian SmartCard

Feitian ePass2003

Feitian ePass2003 PKI eJava Token

Feitian ePass2003 PKI SmartCard

Feitian Fingerprint_Smart_Card_F2000

Feitian iePass_FIDO_PIV_K44

Giesecke+Devrient StarSign® Crypto USB Token M

Giesecke+Devrient StarSign® Key Fob

Giesecke+Devrient StarSign® PKI Card

Giesecke+Devrient StarSign® wristband

HID Global Crescendo 144K

HID Global Crescendo C200

HID Global Crescendo C2300

HID Global Crescendo C1150

Identiv uTrust MD

Idemia ypsID S2

Idemia ypsID S3

Idemia ID-One Cosmo 8.1 IAS ECC

Idemia ID-One PIV 8.1


Longmai mToken CryptoID

Microsoft minidriver enabled devices

Microsoft Windows Hello for Business

Open FIPS 201 Applet

SafeTrust-PIV on Placard

Swissbit iShield Key

Taglio C2

Taglio PIVKey

TCOS TeleSec IDKey

Thales IDPrime .NET 510

Thales IDPrime .NET 5500

Thales IDPrime MD 830

Thales IDPrime MD 840

Thales IDPrime MD 930

Thales IDPrime MD 940

Thales IDPrime MD 3810

Thales IDPrime MD 3840

Thales IDPrime MD 3930

Thales IDPrime MD 3940

Thales IDPrime MD 3940 FIDO

Thales IDPrime PIV 2.1

Thales IDPrime PIV 3.0

Thales IDPrime Virtual

Thales MultiApp ID

Thales Safenet eToken 5100/5110 FIPS/5110+FIPS

Thales Safenet eToken 5300

Thales SafeNet eToken FIDO

Thales SafeNet eToken Fusion CC

Virtual Smart Cards

Yubico YubiKey 5 NFC/5C/5 Nano/5C Nano

Yubico YubiKey 4/4 Nano/4C/4C Nano

Yubico YubiKey NEO/NEO-n

* The supported credential table does not validate support of all possible credential features and integrations made within Versasec applications. Please contact Versasc or our partners for validation of your specific needs.

Product Features

The table below highlights the key features in the Versasec credential management product suites.




User-Side Credential Operations

Agent-Side Credential Operations

  • Admin Key Change
  • Online Unblock User PIN
  • Offline Unblock User PIN (Operator Side)
  • User PIN Policy Update
  • Certificate Management (pfx or p12 Import, Delete)

Advanced Credential Operations

  • Admin Key Diversification
    from Hardware Protected Masterkey
  • User Fingerprint Policy Update
  • Batch Mode Support


  • Credential Repository
  • SQL-based Databases
  • Backup / Restore
  • Multi-forest & Multi-domain

Credential Management System Features




Product Features

Advanced Management Features

  • User Self-service and MS Credential Provider
  • Key Archive and Key Restore
  • Smart Card Stock Management
  • Granular Operator Permissions and Access Control
  • Card Printing and Batch Processing
  • Photo Capturing
  • Remote Security Device Management (RSDM)
  • Certificate Management using ACME
  • FIDO2 Management

Systems Integrations

  • Certification Authorities (MS CA, Entrust, DigiCert, EJBCA, GlobalSign...)
  • User Directories (LDAP, MS AD, Azure AD)
  • Physical Access System (RFID)
  • Identity Providers (IdP) using OIDC and LDAP
  • Windows Event Log
  • Mail Server (for PIN mailing)
  • Hardware Security Module (HSM)


  • SQL Database Interface
  • SOAP Helpdesk API
  • SOAP Lifecycle API
  • REST Lifecycle API
  • Web Start API
  • Plugin API
  • Physical Access System (PACS) API




Managed by Versasec



Perpetual Licenses


Installation Package


✔ – The credential is supported by the product.
L – Known limitations – check release notes.
For details about validated middleware/minidrivers check the Versasec support portal or contact us.


Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

New to credential management?

SCMS = Smart Card Management Systems
CMS = Credential Management System
Have a look at the Wikipedia definition of a ‘Smart Card Management System’.

Versasec Support

Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.

Contact Support

Company Blog

Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.

Visit our Blog