Yubico Forum

Re: ADCS certificate enrollment, native Windows 7 functional

2015-06-15T18:52:21+01:00

Tom2 wrote:

OpenSC does not support CMC format.

Selecting PKCS didn't make a difference.

Quote:

For self- enrollment use the PIV MANAGER GUI.

This ended up working, just ran into trouble initially because I was using the Display Name and not the internal name of the certificate template.

Quote:

you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume editing the GUI is an appdev activity? I am just a lowly server engineer.

Quote:

I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.

Not today. We're still trying to determine how this process is going to work out.

Thanks Tom2, you did provide useful information and I think I can at least write up documentation on using PIV Manager.

Statistics: Posted by OverkillTASF — Mon Jun 15, 2015 6:52 pm

Re: ADCS certificate enrollment, native Windows 7 functional

2015-05-13T09:09:26+01:00

OpenSC does not support CMC format.

For self- enrollment use the PIV MANAGER GUI. It is extremely simple and you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.

Statistics: Posted by Tom2 — Wed May 13, 2015 9:09 am

Re: ADCS certificate enrollment, native Windows 7 functional

2015-05-12T19:02:50+01:00

Thanks. I had seen this before (which is how I managed to change the PIN), and it certainly provides sufficient information for me to import a Windows certificate, but I was hoping that users would be able to do this themselves without any additional software. I apologize for not knowing the names of the subsystems involved, but with previous smart cards, users could go to the web interface on our issuing CA and request a smart card certificate. Their inserted smart card would show up, and they'd have to enter their PIN (Or administrator PIN) to enroll and get the private keys loaded on their smart card. With the Yuibkey, I get the popup shown in the attached file.

Statistics: Posted by OverkillTASF — Tue May 12, 2015 7:02 pm

Re: ADCS certificate enrollment, native Windows 7 functional

2015-05-12T09:28:18+01:00

https://developers.yubico.com/PIV/Introduction/

https://developers.yubico.com/PIV/Tools ... nager.html

https://developers.yubico.com/yubico-pi ... icate.html

Statistics: Posted by Tom2 — Tue May 12, 2015 9:28 am

ADCS certificate enrollment, native Windows 7 functionality?

2015-05-11T19:09:49+01:00

I have received a Yubikey NEO to pilot a deployment for admin accounts in an Active Directory domain. I was hoping I could deploy these with minimal installation of additional software on users' machines.

ADCS provides a URL, https://certificateauthority.domain.int/CertSrv, where users can enroll, using their AD credentials, for certificates. Smart card functionality is included here. I have enabled CCID on the NEO, yet when it comes time to enroll for a certificate, Windows reports that my NEO is read-only. I have used the PIV manager to reset the PIN and management PIN but don't seem to see an option to unlock it so that Windows' native Smart Card services can enroll for a new smart card cert.

Am I missing something?

Statistics: Posted by OverkillTASF — Mon May 11, 2015 7:09 pm