Mac-native PIV operations

Hardware-backed identity for Mac-first teams.

KeyOps is a macOS utility for issuing, verifying, pairing, managing, and revoking PIV credentials. It supports generic PIV smart cards and YubiKeys in PIV mode, with Demo / Local Lab CA, Secure Enclave issuing, and external CA workflows for teams that need stronger authentication without a heavyweight CMS.

Explore the app Why PIV matters Download for Mac Mac App Store
KeyOps dashboard showing reader readiness, latest card read, quick actions, and statistics.

Built between low-level tools and enterprise CMS.

KeyOps focuses on real operational workflows: getting cards issued, checked, trusted, paired, and retired on Macs without making every team deploy a full smart-card management platform.

Mac-first

Designed as a serious macOS utility with native workflows for local setup, smart-card login readiness, configuration profiles, and support diagnostics.

PIV-focused

Centered on PIV slots, certificates, object reads, trust validation, revocation checks, private-key proof, management keys, and lifecycle operations.

YubiKey-aware

Supports YubiKeys in PIV mode so teams already using YubiKeys can issue, verify, pair, revoke, and audit practical certificate operations.

A console for the full credential workflow.

The app is organized around the jobs operators and Mac users actually perform: read, create, manage, verify, and keep evidence.

Dashboard

A home view for reader readiness, latest card activity, quick actions, statistics, and safe-enforcement state.

  • Latest card read and reader status
  • Safe-enforcement readiness checklist
  • Operational shortcuts for common tasks
Dashboard page screenshot.

Read

Inspect a card or YubiKey, read PIV objects, validate certificates, prove private-key presence, and export safe diagnostics.

  • 9A, 9C, 9D, and 9E certificate details
  • Trust anchor, chain, and revocation validation
  • Private-key proof and PIV Security Object integrity status
Read page screenshot.

Create

Provision credentials with named 9B management-key configurations, selectable CA issuance, card writes, and post-write verification.

  • 9A key generation and certificate write
  • Printed Information and CHUID write-back
  • PIN-backed 9A private-key proof and object integrity
Create page screenshot.

Manage

Handle lifecycle operations such as PIN and PUK changes, protected actions, key rotation, replacement, retirement, and revocation workflows.

  • PIN management with lockout warnings
  • PUK and management-key operations
  • Lifecycle controls for admin users
Manage page screenshot.

Settings

Configure trust anchors, CA sources, named 9B keys, revocation behavior, and defaults for card verification and creation.

  • Trust anchors live in Settings
  • Demo, Secure Enclave, and external CA options
  • Named 9B management-key configurations
Settings page screenshot.

Logs

Keep diagnostic and compliance evidence for card reads, writes, verification outcomes, inventory events, and lifecycle decisions.

  • Operation evidence and status summaries
  • Exportable diagnostics without secrets
  • Card inventory and audit history
Logs page screenshot.

Why PIV is worth the operational effort.

PIV gives teams a practical foundation for identity that is hardware-backed, certificate-based, and usable across many access paths.

Private keys stay on hardware

Authentication can be tied to a card or YubiKey, with private keys generated on-device and proven by challenge signing.

Certificates fit existing systems

PIV credentials can support macOS login, VPN, Wi-Fi, mTLS, SSH, signing, and privileged access workflows.

Lifecycle can be audited

Issued, verified, replaced, retired, and revoked credentials can become visible operational events instead of tribal knowledge.

Useful across physical and logical access.

The same cardholder credential can become a stronger identity signal across devices, networks, internal services, admin workflows, and site access.

Physical door access and logical Mac access connected by one credential. Facilities

Physical and logical access

Coordinate door, lab, Mac, VPN, and internal app access around one hardware-backed identity lifecycle.

Mac login workflow with a PIV smart card and reader. Mac login

Smart-card login

Pair PIV authentication certificates with macOS accounts, then gate smart-card-only enforcement on readiness checks.

Security operations console with card inventory and revocation state. Operations

Security operations

Track card inventory, readiness, certificate status, revocation, replacement, and audit evidence in one place.

Credential lifecycle from issue and verify to renew, revoke, and retire. Lifecycle

Certificate lifecycle

Issue, verify, pair, renew, revoke, and retire credentials with clear operational records.

Developer workspace using hardware-backed identity for internal services. Developers

Lab and developer identity

Use card-backed certificates for SSH, internal services, development labs, and privileged engineering access.

Mac document and email signing workflow backed by PIV hardware. Signing

Document and email signing

Use hardware-backed certificates for approvals, signed documents, trusted email, and high-confidence business workflows.

Creator timestamping workflow. Creator proof

Creator timestamping

Timestamp photos, illustrations, writing, designs, inventions, or other original work before publishing, creating stronger evidence of authorship and priority if creator rights are challenged later.

YubiKey beside a Mac in a small-team security workflow. YubiKey teams

Bring your own YubiKey

Bring YubiKeys already deployed for MFA into certificate-backed Mac, network, and administrative workflows.

Admin Mode gives control. Client Mode gives confidence.

KeyOps is designed to make strong hardware-backed identity approachable for teams that need practical deployment, clear verification, and safer enforcement on macOS.

Download for Mac Mac App Store Back to top