YubiKey Setup Tutorial for macOS

How to setup multiple Yubikey as smartcard login for macOS

1. Generate 2 certificates for 9A and 9D slot in YubiKey PIV. Here is the command to generate the certificate:
   

   openssl ecparam -name secp256r1 -genkey -out ec_key.pem  
   openssl req -new -x509 -key ec_key.pem -sha256 -nodes -out ec_crt.crt -days 10950  
   openssl pkcs12 -export -out enc.p12 -inkey ec_key.pem -in ec_crt.crt  
   

2. Import the p12 files to both of your YubiKeys by using YubiKey Manager App. DO NOT click setup for macos button in your YubiKey Manager because it will replace your keys.

3. Unplug & Replug your YubiKeys, and when this notification appear click pair & enter your login password & YubiKeys PIV PIN.
   
   

How to add smartcard only authentication in Mac

1. Create new .mobileconfig profile with this content (i.e. smartcard-only-login.mobileconfig):
   

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"\>
   <plist version="1.0">
   <dict>
   <key>PayloadContent</key>
   <array>
   <dict>
   <key>PayloadDescription</key>
   <string>Configures smart card-only</string>
   <key>PayloadDisplayName</key>
   <string>Smart card-only</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.configprofile.78.</string>
   <key>PayloadOrganization</key>
   <string>Apple</string>
   <key>PayloadType</key>
   <string>com.apple.security.smartcard</string>
   <key>PayloadUUID</key>
   <string>5A15247B-899C-474D-B1D7-DBD82BDE5678</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
   <key>UserPairing</key>
   <false/>
   <key>allowSmartCard</key>
   <true/>
   <key>checkCertificateTrust</key>
   <false/>
   <key>enforceSmartCard</key>
   <true/>
   </dict>
   </array>
   <key>PayloadDescription</key>
   <string>Smartcard profile.</string>
   <key>PayloadDisplayName</key>
   <string>Smart card-only</string>
   <key>PayloadIdentifier</key>
   <string>com.apple.configprofile.77</string>
   <key>PayloadOrganization</key>
   <string></string>
   <key>PayloadRemovalDisallowed</key>
   <false/>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadScope</key>
   <string>system</string>
   <key>PayloadUUID</key>
   <string>7D34CC86-C707-44D2-9A9F-C5F6E347BD77</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
   </dict>
   </plist>  
   

2. Install by double click the created file.

3. Activate the profile by go to Settings - Generate - Device Management.

How to unpair YubiKey.

1. Make sure you have not set your Mac does not install smartcard only authentication profile.

2. Use this command unpair based of user:
   

   sc_auth unpair -u $USER  
   

Reference:

• https://support.apple.com/en-us/101438
• https://www.reddit.com/r/yubikey/comments/17rd7i0/comment/k8ifbjl