Yubico Forum ...visit our web-store at 2015-03-19T11:30:26+01:00 https://forum.yubico.com/feed.php?f=26&t=1780 2015-03-19T11:30:26+01:00 2015-03-19T11:30:26+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=7071#p7071 <![CDATA[Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A]]> But I can't create the private key on Neo or transfer the public certificate.
Did someone have success?

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (NIST SP 800-73 [PIV])]
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="msclmd.dll"

Statistics: Posted by goldfinger — Thu Mar 19, 2015 11:30 am

]]> 2015-03-19T11:19:29+01:00 2015-03-19T11:19:29+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=7070#p7070 <![CDATA[Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A]]> Image

Some links for Windows environments:
Enrollment
http://secadmins.com/index.php/enroll-for-a-smart-card-certificate-on-behalf-of-other-users/

Powershell Code
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0%2Dbfed%2D4143%2D9eea%2Df521167d287c&ID=77

Statistics: Posted by goldfinger — Thu Mar 19, 2015 11:19 am

]]> 2015-03-12T16:20:25+01:00 2015-03-12T16:20:25+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=7013#p7013 <![CDATA[Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A]]>
But shouldn't you be able to submit a PKCS10 request (https://tools.ietf.org/html/rfc2986 ) and specify on the certificate template the group and the certificate manager approval ?

Statistics: Posted by Tom2 — Thu Mar 12, 2015 4:20 pm

]]> 2015-03-11T15:33:39+01:00 2015-03-11T15:33:39+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=7003#p7003 <![CDATA[Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A]]> Creating a certificate request in CMC format can be signed with the enrollment agent.
But openssl doesn't support this format.

Aim is to have a smardcard enrollment station. An administrator can act on behalf of a user to request and install a Smart Card Logon certificate on the user's smart Card.

Is there any commercial minidriver for Neo available?

Statistics: Posted by goldfinger — Wed Mar 11, 2015 3:33 pm

]]> 2015-03-10T14:33:28+01:00 2015-03-10T14:33:28+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=6993#p6993 <![CDATA[Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A]]>
SmartCard Logon templates needs to be properly configured, e.g. key size 2048

did this help?

Statistics: Posted by Tom2 — Tue Mar 10, 2015 2:33 pm

]]> 2015-03-10T09:12:48+01:00 2015-03-10T09:12:48+01:00 https://forum.yubico.com/viewtopic.php?t=1780&p=6988#p6988 <![CDATA[[Question] Neo Smartcard Cert & Windows CA with Enroll Agent]]> The aim is that the domain user can use the Neo to login on Windows 7 workstations together with Windows 2012 AD Enterprise CA.
Unfortunately we get it not to work with a enroll agent and we want to here how other solved this problem.

Is there a way to get Neo as a smartcard running in a Windows CA world?
https://developers.yubico.com/yubico-piv-tool/Windows_certificate.html
We think that we need a smardcard and not a user template like the example above.
It seems to be Microsoft problem in combination of the Neo tools.

Setup
Our neo's have the firmware version 3.3.6 , Set Mode to CCID + OTP Mode-82
We used the Smartcard Template "SmartCard Logon" with
Propose: Signature and Smartcard Logon
Number of authorizied signatures:1
Application Policy --> Certificate Request Agent
An certificate for enrollment user-agent is created.
Enroll of this certificate type on behalf of other users is working!

Steps:
yubico-piv-tool -s 9a -a generate –o public.pem
Successfully generated a new private key.

Rem Like certreq -new inf.txt inf.req with Pin Prompt Support
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate -S "/CN=bob/CN=Users/DC=mic/DC=workshop/DC=zz/" -i public.pem -o request.csr
Successfully verified PIN.
Successfully generated a certificate request.

The next step sign with the enrollment signature fails.
Normally a prompt for the Enrollment Agent in the Cert Store appears.
certreq -sign request.csr request2.csr
Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)
request.csr
Since openssl don't support the other format CMC we can't test it.

Rem Request to Windows CA
certreq -submit -attrib "CertificateTemplate:SmartcardLogon2" request.csr cert.crt
Without sign the certificate we got an error as expected because of the missing authority signature from the enrollment agent.
Certificate not issued (Denied) Denied by Policy Module The request is missing required signature policy information. 0x80094809 (-2146875383)
Certificate Request Processor: The request is missing required signature policy information. 0x80094809 (-2146875383)
Denied by Policy Module

Statistics: Posted by goldfinger — Tue Mar 10, 2015 9:12 am

]]>