Which YubiKey models support signing?
For digital signing and PIV you need a model with the PIV (smart card) application. The YubiKey 5 Series is the standard choice.
- YubiKey 5 Series (5 NFC, 5C NFC, 5 Nano, 5C) — full PIV support, ideal for signing.
- YubiKey 5 FIPS Series — same, with FIPS 140 validation for regulated environments.
- Security Key Series (blue) — FIDO/U2F only, no PIV; these cannot be used for certificate signing.
Step 1: Install YubiKey Manager & the minidriver
Two pieces of software get you started: YubiKey Manager (yubico-authenticator / YubiKey Manager) to configure the key, and the YubiKey Smart Card Minidriver so Windows treats the PIV application as a smart card.
- Install YubiKey Manager from Yubico's official site.
- Install the YubiKey Smart Card Minidriver on Windows so the PIV app appears as a smart-card reader.
- Confirm the Smart Card service (SCardSvr) is running.
Step 2: Configure the PIV application
Open YubiKey Manager → Applications → PIV. This is where you manage certificates, PINs, and keys for the smart-card side of the YubiKey.
Default credentials you must change
Every YubiKey ships with the same factory PIV defaults. Anyone who knows them could use a stolen key, so changing them is mandatory before you load any certificate.
Default PIN: 123456 Default PUK: 12345678 Default Management Key: 010203040506070801020304050607080102030405060708
Step 3: Load a certificate onto the YubiKey
You can either generate a key pair on the YubiKey and import a certificate issued for it, or import an existing certificate and private key (PKCS#12 / .pfx). Generating on-device is more secure because the private key never exists off the key.
- In YubiKey Manager → PIV → Certificates, choose the Authentication (9a) or Digital Signature (9c) slot.
- Generate a new key/CSR on the device, send the CSR to your CA, then import the issued certificate — or import an existing .pfx if your CA provided one.
- Use slot 9c (Digital Signature) for document signing; slot 9a (PIV Authentication) for login.
Step 4: Change the default PIN and PUK (mandatory)
In YubiKey Manager → PIV → Configure PINs, set a new PIN, a new PUK, and a new Management Key. The PUK unlocks the key if you enter the PIN wrong too many times; if both lock, the PIV application must be reset and your certificates are lost. Store the PUK somewhere safe.
Step 5: Sign with Adobe Acrobat
Once the certificate is in slot 9c and the minidriver is installed, Adobe Acrobat sees the YubiKey as a Windows digital ID.
- Open Acrobat → Tools → Certificates → Digitally Sign, then draw the signature box.
- Select the certificate stored on the YubiKey (it appears as a Windows certificate).
- Enter your YubiKey PIN when prompted to apply the signature.
- If the certificate doesn't appear, confirm the minidriver is installed and restart Acrobat.
Step 6: Sign with DocuSign
DocuSign can use a local certificate from a YubiKey for certificate-based signing flows. The YubiKey must present its certificate through the Windows store, and DocuSign's signing applet picks it up.
- Ensure the YubiKey certificate appears in certmgr.msc → Personal.
- In a DocuSign certificate-signing flow, choose Sign with your own certificate / smart card.
- Select the YubiKey certificate and enter the PIN.
Step 7: Windows login with PIV (optional)
If your organization supports smart-card logon, the YubiKey's PIV Authentication certificate (slot 9a) can be used to sign in to Windows. This requires an enterprise certificate from a domain CA configured for smart-card logon — it won't work with a self-signed or unrelated certificate.
Common errors and fixes
| Error | Cause | Fix |
|---|---|---|
| YubiKey not recognised | Minidriver missing / SCardSvr stopped | Install minidriver; start Smart Card service |
| No certificates on device | No cert loaded in PIV slot | Load a certificate into slot 9a/9c |
| PIN blocked | Too many wrong PIN attempts | Unblock with PUK in YubiKey Manager |
| Both PIN & PUK locked | Repeated failures | Reset PIV app (erases certificates) |
Frequently asked questions
Can a YubiKey replace a SafeNet eToken?
For many signing workflows, yes. A YubiKey 5 Series with the PIV application acts as a hardware smart card and works with Adobe Acrobat, DocuSign, and Windows login. The main caveat is your certificate authority must allow the certificate to be loaded onto a YubiKey — some CAs only issue to their own branded tokens.
Do I have to change the default PIN and PUK?
Yes — it's mandatory for security. Every YubiKey ships with the same factory PIN (123456), PUK (12345678), and management key. Until you change them, anyone who knows the defaults could misuse a lost or stolen key. Change all three before loading any certificate.
Why doesn't Adobe or DocuSign see my YubiKey certificate?
The two usual causes are a missing YubiKey Smart Card Minidriver (so Windows never exposes the PIV app as a smart card) or no certificate loaded in the PIV slot. Install the minidriver, confirm a certificate exists in slot 9c, restart the application, and re-check certmgr.msc.
What happens if I lock both the PIN and PUK?
The PIV application must be reset, which permanently erases the certificates and keys stored in it. You'll then need to reload or reissue your certificate. This is why you should record your PUK somewhere safe when you set it.
Related guides & services
Need help configuring your YubiKey?
PIV slots, minidrivers, and certificate imports can be fiddly. Get expert help on a remote session and we'll have your YubiKey signing in Adobe, DocuSign, or your government portal.
Independent consulting engagement — not affiliated with DocuSign, Adobe, Microsoft, or any certificate authority.