Using PIVKey on Mac OSX

Built in support on Mac OSX

Starting with Mac OSX Sierra Apple has provided native support for PIV compatible cards using a native PIV plugin for the CryptoTokenKit.  This plugin allows you to "pair" a PIVKey smart card or USB token with a user account.  OSX then provides support to use PIVKey to log on to the Mac using the smart card and PIN.  

Starting with High Sierra. CryptoTokenKit also makes available the certificates and keys in the User Keychain for use with applications that can use the Mac Keychain for encryption or authentication, such as Browsers or VPN software.

Note:  OSX will not support pairing with the Certificate for Card Authentication (9E) . You should use the Certificate for Authentication (9A) instead.

How to pair your PIVKey with your Mac OSX user account for user logon:

Insert your PIVKey. The SmartCard Pairing request will appear.

Enter your user Password

Enter your Smart Card PIN.

When prompted, authenticate to your Keychain.

Note: If the pairing request does no appear it may be disabled. You can enable it in the Terminal using the following command:

sc_auth pairing_ui -s enable

3rd party Smart Card middleware on the Mac.

If you need additional support for PIVKey, such as, for example, PKCS11 support, you will need a smart card middleware package. There are several commercial middleware packages for PIV on Mac. In addition there is an open source package called OpenSC that supports PIV compatible cardsa. OpenSC provides some tools, and most importantly a PKCS11 library, that allows PIV cards to be used by applications like Firefox and SSH.

There is an installer for OpenSC on Mac available here:


Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk