Yubico · equijano21 · Jan 7, 2026 · Dec 1, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/docs/users-manual/application-piv/cert-size.md b/docs/users-manual/application-piv/cert-size.md
@@ -18,55 +18,40 @@ limitations under the License. -->
 
 # Maximum certificate sizes
 
-It is possible to store up to 24 private key/certificate pairs in the PIV slots. However,
-there are space limitations.
+It is possible to store up to 24 private key/certificate pairs in the PIV slots for YubiKeys with firmware version 4.x and higher. However, there are limits to the size of each certificate and the total space available for all certificates. Once the total certificate storage space has been filled, you cannot load additional certificates onto the YubiKey.
 
-In the real world, certificates are generally less than 1,000 bytes. Some large certs are
-over 1,000 bytes, but rarely over 2,000. It is unlikely that you will run into limitations
-on the YubiKey.
+Keys, however, are stored in a separate, fixed memory layout. It is always possible to store 24 *keys* in a YubiKey's PIV application, as they are not subject to the certificate storage limits.
 
-Nonetheless, these are the space limitations for certs in the PIV application on the
-YubiKey.
+> [!NOTE]
+> In practice, the size of a key/certificate pair is determined by the choice of algorithm and key length (e.g. RSA 1024 vs RSA 4096), certificate complexity (e.g. use of OIDs, size attributes), the presence of PIV attestation objects, etc.
 
 ## Maximum size for a single certificate
 
-|    YubiKey Version    | Maximum Size in Bytes |
-|:---------------------:|:---------------------:|
-| before 4.0 (e.g. NEO) |         2025          |
-|          4.x          |         3052          |
-|       4.x FIPS        |         3052          |
-|          5.x          |         3052          |
-|       5.x FIPS        |         3052          |
+If you attempt to load a certificate that is larger than the YubiKey's maximum allowable certificate size (as indicated in the table below), the YubiKey will reject it, and the SDK will throw an exception.
 
-## Total space available for certificates
-
-Although a YubiKey 5.x will allow a 3052-byte cert in one of the slots, it will not be
-able to store 24 certs that big.
+| YubiKey Model (and Firmware Version)| Maximum Size in Bytes |
+|:-----------------------------------:|:---------------------:|
+| YubiKey NEO (prior to 4.x)          |         2025          |
+| YubiKey 4 Series (4.x)              |         3052          |
+| YubiKey 4 FIPS Series (4.x)         |         3052          |
+| YubiKey 5 Series (5.x)              |         3052          |
+| YubiKey 5 FIPS Series (5.x)         |         3052          |
 
-A NEO (pre-4.0), only has four slots, and will be able to hold four certs of the maximum
-length.
+> [!NOTE]
+> The maximum allowable certificate size is determined by the YubiKey's APDU buffer size. For YubiKeys with firmware version 4.x and above, the buffer size is 3072. Certificates stored according to the PIV standard will have approximately 20 bytes of header data, including tag and length values, leaving 3052 bytes for the certificate itself.
 
-|    YubiKey Version    | Maximum Total Cert<br/>Space Available | Number of Certs<br/>at Size | Number of Certs<br/>at Maximum Size |
-|:---------------------:|:--------------------------------------:|:---------------------------:|:-----------------------------------:|
-| before 4.0 (e.g. NEO) |                  8100                  |    4 certs at 2025 bytes    |        4 certs at 2025 bytes        |
-|          4.x          |              about 49,800              |   24 certs at 2075 bytes    |       16 certs at 3052 bytes        |
-|       4.x FIPS        |              about 49,800              |   24 certs at 2075 bytes    |       16 certs at 3052 bytes        |
-|          5.x          |              about 50,000              |   24 certs at 2084 bytes    |       16 certs at 3052 bytes        |
-|       5.x FIPS        |              about 49,890              |   24 certs at 2079 bytes    |       16 certs at 3052 bytes        |
-
-Note that that total amount of storage on a YubiKey (for certs, for PUT DATA objects,
-etc.) is about 51,000 bytes. Hence, if a YubiKey is loaded with 49,000 bytes of certs,
-then there will be very little space left for anything else.
+## Total space available for certificates
 
-## Summary
+Although YubiKeys with firmware version 4.x and higher will allow 3052-byte certificates, they will not be able to store 24 certificates of that size due to the YubiKey's total certificate space limit. Even if a YubiKey has empty certificate slots available, you cannot fill them once the maximum certificate space has been reached.  
 
-On a 5.x YubiKey, it is possible to store a 3,052-byte cert in a slot. If a cert is
-bigger than 3,052 bytes, the YubiKey will reject it and the SDK will throw an exception.
+However, a YubiKey NEO, which only has four slots, will be able to hold four certificates of the maximum length.
 
-It is certainly possible to store several 3,052-byte certs on a 5.x YubiKey, but once the
-total size limit is reached, the YubiKey won't be able to store any more, even if some of
-the slots are empty.
+| YubiKey Model<br/>(and Firmware Version) | Maximum Total Certificate<br/>Space Available | Maximum Average<br/>Certificate Size | Number of Certificates<br/>at Maximum Size |
+|:----------------------------------------:|:---------------------------------------------:|:------------------------------------:|:------------------------------------------:|
+| YubiKey NEO (prior to 4.x)               |                  8100                         |    4 certs at 2025 bytes             |        4 certs at 2025 bytes               |
+| YubiKey 4 Series (4.x)                   |              about 49,800                     |   24 certs at 2075 bytes             |       16 certs at 3052 bytes               |
+| YubiKey 4 FIPS Series (4.x)              |              about 49,800                     |   24 certs at 2075 bytes             |       16 certs at 3052 bytes               |
+| YubiKey 5 Series (5.x)                   |              about 50,000                     |   24 certs at 2084 bytes             |       16 certs at 3052 bytes               |
+| YubiKey 5 FIPS Series (5.x)              |              about 49,890                     |   24 certs at 2079 bytes             |       16 certs at 3052 bytes               |
 
-However, because a real world application will probably not use certs bigger than 2,000
-bytes, it is not likely it will ever run into a total space limitation and will be able
-to store up to 24 certs.
+Note that the total amount of NVM (non-volatile memory) in a YubiKey's PIV application, which stores certificates (including the attestation certificate) *plus* [PIV data objects](xref:UsersManualPivObjects), is 51,200 bytes. Therefore, if a YubiKey is loaded with a lot of certificate data (for example, 49,000 bytes' worth), there will be very little space left for anything else.