diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index 8b7d8dba..c74631a1 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -246,23 +246,23 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 	/* Note: pkcs11 objects do not have CK_ID values */
 
 	static const objdata objects[] = {
-	{"1", "Card Capability Container", 
+	{"01", "Card Capability Container", 
 			"2.16.840.1.101.3.7.1.219.0", NULL, "DB00", 0},
-	{"2", "Card Holder Unique Identifier",
+	{"02", "Card Holder Unique Identifier",
 			"2.16.840.1.101.3.7.2.48.0", NULL, "3000", 0},
-	{"3", "Unsigned Card Holder Unique Identifier",
+	{"03", "Unsigned Card Holder Unique Identifier",
 			"2.16.840.1.101.3.7.2.48.2", NULL, "3010", 0},
-	{"4", "X.509 Certificate for PIV Authentication",
+	{"04", "X.509 Certificate for PIV Authentication",
 			"2.16.840.1.101.3.7.2.1.1", NULL, "0101", 0},
-	{"5", "Cardholder Fingerprints",
-			"2.16.840.1.101.3.7.2.96.16", "1", "6010", SC_PKCS15_CO_FLAG_PRIVATE},
-	{"6", "Printed Information",
-			"2.16.840.1.101.3.7.2.48.1", "1", "3001", SC_PKCS15_CO_FLAG_PRIVATE},
-	{"7", "Cardholder Facial Image", 
-			"2.16.840.1.101.3.7.2.96.48", "1", "6030", SC_PKCS15_CO_FLAG_PRIVATE},
-	{"8", "X.509 Certificate for Digital Signature",
+	{"05", "Cardholder Fingerprints",
+			"2.16.840.1.101.3.7.2.96.16", "01", "6010", SC_PKCS15_CO_FLAG_PRIVATE},
+	{"06", "Printed Information",
+			"2.16.840.1.101.3.7.2.48.1", "01", "3001", SC_PKCS15_CO_FLAG_PRIVATE},
+	{"07", "Cardholder Facial Image", 
+			"2.16.840.1.101.3.7.2.96.48", "01", "6030", SC_PKCS15_CO_FLAG_PRIVATE},
+	{"08", "X.509 Certificate for Digital Signature",
 			"2.16.840.1.101.3.7.2.1.0",  NULL, "0100", 0},
-	{"9", "X.509 Certificate for Key Management", 
+	{"09", "X.509 Certificate for Key Management", 
 			"2.16.840.1.101.3.7.2.1.2", NULL, "0102", 0},
 	{"10","X.509 Certificate for Card Authentication",
 			"2.16.840.1.101.3.7.2.5.0", NULL, "0500", 0},
@@ -328,15 +328,15 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 #define PIV_NUM_CERTS_AND_KEYS 24
 
 	static const cdata certs[PIV_NUM_CERTS_AND_KEYS] = {
-		{"1", "Certificate for PIV Authentication", 0, "0101cece", 0},
-		{"2", "Certificate for Digital Signature", 0, "0100cece", 0},
-		{"3", "Certificate for Key Management", 0, "0102cece", 0},
-		{"4", "Certificate for Card Authentication", 0, "0500cece", 0},
-		{"5", "Retired Certificate for Key Management 1", 0, "1001cece", 0},
-		{"6", "Retired Certificate for Key Management 2", 0, "1002cece", 0},
-		{"7", "Retired Certificate for Key Management 3", 0, "1003cece", 0},
-		{"8", "Retired Certificate for Key Management 4", 0, "1004cece", 0},
-		{"9", "Retired Certificate for Key Management 5", 0, "1005cece", 0},
+		{"01", "Certificate for PIV Authentication", 0, "0101cece", 0},
+		{"02", "Certificate for Digital Signature", 0, "0100cece", 0},
+		{"03", "Certificate for Key Management", 0, "0102cece", 0},
+		{"04", "Certificate for Card Authentication", 0, "0500cece", 0},
+		{"05", "Retired Certificate for Key Management 1", 0, "1001cece", 0},
+		{"06", "Retired Certificate for Key Management 2", 0, "1002cece", 0},
+		{"07", "Retired Certificate for Key Management 3", 0, "1003cece", 0},
+		{"08", "Retired Certificate for Key Management 4", 0, "1004cece", 0},
+		{"09", "Retired Certificate for Key Management 5", 0, "1005cece", 0},
 		{"10", "Retired Certificate for Key Management 6", 0, "1006cece", 0},
 		{"11", "Retired Certificate for Key Management 7", 0, "1007cece", 0},
 		{"12", "Retired Certificate for Key Management 8", 0, "1008cece", 0},
@@ -355,7 +355,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 	};
 
 	static const pindata pins[] = {
-		{ "1", "PIV Card Holder pin", "", 0x80,
+		{ "01", "PIV Card Holder pin", "", 0x80,
 		  /* label, flag  and ref will change if using global pin */
 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
 		  8, 4, 8, 
@@ -364,7 +364,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		  SC_PKCS15_PIN_FLAG_LOCAL, 
 		  -1, 0xFF,
 		  SC_PKCS15_CO_FLAG_PRIVATE },
-		{ "2", "PIV PUK", "", 0x81, 
+		{ "02", "PIV PUK", "", 0x81, 
 		  SC_PKCS15_PIN_TYPE_ASCII_NUMERIC,
 		  8, 4, 8, 
 		  SC_PKCS15_PIN_FLAG_NEEDS_PADDING |
@@ -386,14 +386,14 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 	 */
 	static const pubdata pubkeys[PIV_NUM_CERTS_AND_KEYS] = {
 
-		{ "1", "PIV AUTH pubkey", 
+		{ "01", "PIV AUTH pubkey", 
 			 	/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT |
 			 		SC_PKCS15_PRKEY_USAGE_WRAP |
 					SC_PKCS15_PRKEY_USAGE_VERIFY |
 					SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_VERIFY,
 			"9A06", 0x9A, NULL, 0, "PIV_9A_KEY"},
-		{ "2", "SIGN pubkey", 
+		{ "02", "SIGN pubkey", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT |
 					SC_PKCS15_PRKEY_USAGE_VERIFY |
 					SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER |
@@ -401,33 +401,33 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 				/*EC*/SC_PKCS15_PRKEY_USAGE_VERIFY |
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
 			"9C06", 0x9C, NULL, 0, "PIV_9C_KEY"},
-		{ "3", "KEY MAN pubkey", 
+		{ "03", "KEY MAN pubkey", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT| SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			"9D06", 0x9D, NULL, 0, "PIV_9D_KEY"},
-		{ "4", "CARD AUTH pubkey", 
+		{ "04", "CARD AUTH pubkey", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_VERIFY |
 					SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER, 
 				/*EC*/SC_PKCS15_PRKEY_USAGE_VERIFY,
 			"9E06", 0x9E, NULL, 0, "PIV_9E_KEY"},  /* no pin, and avail in contactless */
 
-		{ "5", "Retired KEY MAN 1",
+		{ "05", "Retired KEY MAN 1",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			 "8206", 0x82, NULL, 0, NULL},
-		{ "6", "Retired KEY MAN 2",
+		{ "06", "Retired KEY MAN 2",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			 "8306", 0x83, NULL, 0, NULL},
-		{ "7", "Retired KEY MAN 3",
+		{ "07", "Retired KEY MAN 3",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			 "8406", 0x84, NULL, 0, NULL},
-		{ "8", "Retired KEY MAN 4",
+		{ "08", "Retired KEY MAN 4",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			 "8506", 0x85, NULL, 0, NULL},
-		{ "9", "Retired KEY MAN 5",
+		{ "09", "Retired KEY MAN 5",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
 			 "8606", 0x86, NULL, 0, NULL},
@@ -497,110 +497,110 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
  * on the key algorithm, and will be reset. 
  */
 	static const prdata prkeys[PIV_NUM_CERTS_AND_KEYS] = {
-		{ "1", "PIV AUTH key", 
+		{ "01", "PIV AUTH key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT |
 					SC_PKCS15_PRKEY_USAGE_UNWRAP |
 					SC_PKCS15_PRKEY_USAGE_SIGN |
 					SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_SIGN,
-			"", 0x9A, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0},
-		{ "2", "SIGN key", 
+			"", 0x9A, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
+		{ "02", "SIGN key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT |
 					SC_PKCS15_PRKEY_USAGE_SIGN |
 					SC_PKCS15_PRKEY_USAGE_SIGNRECOVER |
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_SIGN | 
 					SC_PKCS15_PRKEY_USAGE_NONREPUDIATION,
-			"", 0x9C, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
-		{ "3", "KEY MAN key", 
+			"", 0x9C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+		{ "03", "KEY MAN key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0},
-		{ "4", "CARD AUTH key", 
+			"", 0x9D, "01", SC_PKCS15_CO_FLAG_PRIVATE, 0},
+		{ "04", "CARD AUTH key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN |
 				SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_SIGN,
 			"", 0x9E, NULL, 0, 0}, /* no PIN needed, works with wireless */
-		{ "5", "Retired KEY MAN 1",
+		{ "05", "Retired KEY MAN 1",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x82, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
-		{ "6", "Retired KEY MAN 2",
+			"", 0x82, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+		{ "06", "Retired KEY MAN 2",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x83, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
-		{ "7", "Retired KEY MAN 3",
+			"", 0x83, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+		{ "07", "Retired KEY MAN 3",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x84, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
-		{ "8", "Retired KEY MAN 4",
+			"", 0x84, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+		{ "08", "Retired KEY MAN 4",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x85, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
-		{ "9", "Retired KEY MAN 5",
+			"", 0x85, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+		{ "09", "Retired KEY MAN 5",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x86, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x86, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "10", "Retired KEY MAN 6",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x87, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x87, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "11", "Retired KEY MAN 7",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x88, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x88, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "12", "Retired KEY MAN 8",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x89, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x89, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "13", "Retired KEY MAN 9",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8A, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8A, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "14", "Retired KEY MAN 10",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8B, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8B, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "15", "Retired KEY MAN 11",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8C, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8C, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "16", "Retired KEY MAN 12",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8D, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "17", "Retired KEY MAN 13",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8E, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8E, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "18", "Retired KEY MAN 14",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x8F, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x8F, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "19", "Retired KEY MAN 15",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x90, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x90, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "20", "Retired KEY MAN 16",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x91, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x91, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "21", "Retired KEY MAN 17",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x92, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x92, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "22", "Retired KEY MAN 18",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x93, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x93, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "23", "Retired KEY MAN 19",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x94, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x94, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1},
 		{ "24", "Retired KEY MAN 20",
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x95, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1}
+			"", 0x95, "01", SC_PKCS15_CO_FLAG_PRIVATE, 1}
 	};
 
 	int    r, i;