Skip to content

Crayonic PIV Manager

Overview

Crayonic PIV Manager is a Windows desktop tool for IT administrators to provision X.509 certificates into Crayonic wallets — the Crayonic Badge and Crayonic KeyVault. It uses the NIST-standard PIV protocol so the certificates can be used natively by Windows, Linux and macOS for PKI-based authentication, digital signing, email signing and VPN/TLS client authentication.

Use PIV Manager when your Certificate Authority is Microsoft Certificate Services (AD CS) or any CA accessible through a SCEP or similar enrolment endpoint, and you want to push X.509 certificates onto user hardware at provisioning time.

When to Use PIV Manager vs. CCM

Scenario Use
Bulk onboarding of new users with X.509 certificates PIV Manager
User self-service certificate (re)issuance over FIDO Crayonic Credential Manager
Mixed passkey + PIV provisioning from a single admin UI Crayonic Credential Manager
Simple one-off certificate installation on a single KeyVault PIV Manager

Supported Credential Slots

  • Authentication — 9A (PIV Authentication)
  • Digital Signature — 9C (Signing)
  • Key Management — 9D (Encryption / Key Management)

System Requirements

  • Windows 10 or later
  • Administrator privileges for install
  • Network access to your Certificate Authority enrolment endpoint
  • A Crayonic Badge or KeyVault connected via USB

Installation

  1. Download the latest Windows build from the Downloads page.
  2. Extract the archive and run the installer. The app is portable — no system-wide install is required.
  3. Start the tool. On first run it will prompt for CA connection settings.

Usage

Provisioning a Certificate

  1. Connect the target Crayonic wallet via USB.
  2. In PIV Manager, select the device from the device list.
  3. Choose the credential slot to provision.
  4. Enter the certificate subject / user identifiers as required by your CA template.
  5. Submit — PIV Manager generates the key pair on-device, requests the certificate from the CA, and writes the issued certificate back into the selected PIV slot.
  6. Verify the result: the certificate is now available to Windows and any application that reads the standard Microsoft smart-card key store.

Replacing an Existing Certificate

Provisioning a new certificate into an occupied slot replaces the old one. Rotation is safe as long as the user still has valid credentials in at least one other slot; otherwise schedule the operation during a window when the user is not relying on the device.

Bulk Provisioning

For multi-user rollouts, run PIV Manager on a provisioning workstation and cycle through devices one at a time, or use Crayonic Credential Manager — its OBO (on-behalf-of) flow is built for this scale.

Troubleshooting

  • "Device not detected" — confirm the wallet is connected via USB and that the Crayonic Agent is either stopped or not holding an exclusive lock.
  • "CA rejected the CSR" — check the CA template, the requested key usage and the subject DN format expected by your CA.
  • "Write to slot failed" — the slot may be locked by a management key; confirm the management key in use matches the device's configured key.

Download

See the Downloads page for the latest Windows build.