Yubico Forum ...visit our web-store at 2016-10-19T16:34:39+01:00 https://forum.yubico.com/feed.php?f=26&t=2031 2016-10-19T16:34:39+01:00 2016-10-19T16:34:39+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=9106#p9106 <![CDATA[Re: [Question] Smartcard certificate creation]]> https://developers.yubico.com/yubikey-p ... Notes.html). The CHUID is set when you generate the key from the application. The application was developed to request certificates for logging into an Active Directory domain environment, and that continues to be the primary use.

If you're on a Mac and you download Yubico PIV Tool (https://developers.yubico.com/yubikey-p ... /Releases/), it goes into your default downloads directory, and the name of the folder is yubico-piv-tool-1 (check your default downloads directory to confirm). On my Mac that means...

cd ./Downloads/yubico-piv-tool-1/bin
./yubico-piv-tool [command] (I generally run ./yubico-piv-tool -a status most often)

You should not mix use of the YubiKey PIV Manager and Yubico PIV Tool (unless you're starting with Yubico PIV Tool and you at minimum change the default management key). If the management key is left at default and you make any other changes with PIV Tool (change PIN, change PUK, etc.), YubiKey PIV Manager thinks nothing else has been done to the applet as the management key hasn't changed from the default (so if you run PIV Manager, you will get the initialize dialogue and it will force you to try and change your PIN).

Statistics: Posted by ChrisHalos — Wed Oct 19, 2016 4:34 pm

]]> 2016-10-19T03:24:14+01:00 2016-10-19T03:24:14+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=9104#p9104 <![CDATA[Re: [Question] Smartcard certificate creation]]> TheRealSnafu wrote:

Hi again,
Quote:
I'm still trying to figure out how to import it onto my Neo, though.

I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO.

Regards,
Gerhard
So much easier with the GUI utility! Thank you.

mouse008 wrote:

Since you seem to be using NEO in PIV mode, you need to fully initialize the token.
Code:
yubico-piv-tool
has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something like
Code:
yubico-piv-tool -a set-chuid -a set-ccc


Please post here it that helped.
I'm disappointed that this isn't in the GUI PIV tool. Also, I'm not sure how to get the CLI tool to run. I'll fiddle with it, but if you have advice, I'd appreciate it.

Is there any software I'll need - Centrify Express or something like it - to pass the certificate on the Yubikey to Apple Mail?

Edit: When I go to the directory, and type in "yubico-piv-tool" I get the following:
Code:
computer:bin user$ yubico-piv-tool
-bash: yubico-piv-tool: command not found


When I drag the executable directly to the terminal window, I get this:
Code:
computer:bin user$ /Users/user\ 1/Downloads/yubico-piv-tool-1.4.2-mac/bin/yubico-piv-tool -s 9c -a set-chuid
Failed authentication with the application.


I've found it - from the PDF:
Quote:

Failed authentication with the application
This error message occurs when authentication with the management key fails. If you previously reset the management key, be sure you provide the new management key with the -k switch in every command line where YubiKey authentication is required.
This error also occurs if the PIN is required and is typed incorrectly.
For example:
yubico-piv-tool -a change-pin -P 123456 -N $pin -k
010203040506070801020304050607080102031234597899
where 010203040506070801020304050607080102031234597899 is the new management key.

Statistics: Posted by Chrontius — Wed Oct 19, 2016 3:24 am

]]> 2016-08-21T04:35:06+01:00 2016-08-21T04:35:06+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8891#p8891 <![CDATA[Re: [Question] Smartcard certificate creation]]> Code:
yubico-piv-tool
has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something like
Code:
yubico-piv-tool -a set-chuid -a set-ccc


Please post here it that helped.

Statistics: Posted by mouse008 — Sun Aug 21, 2016 4:35 am

]]> 2016-08-19T06:57:04+01:00 2016-08-19T06:57:04+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8889#p8889 <![CDATA[Re: [Question] Smartcard certificate creation]]>
Quote:

I'm still trying to figure out how to import it onto my Neo, though.

I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO.

Regards,
Gerhard

Statistics: Posted by TheRealSnafu — Fri Aug 19, 2016 6:57 am

]]> 2016-08-19T06:52:35+01:00 2016-08-19T06:52:35+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8888#p8888 <![CDATA[Re: [Question] Smartcard certificate creation]]>
Quote:

You could try getting a free S/MIME cert from StartSSL

those StartSSL S/MIME certificates didn't work for Bitlocker for me. But you can indeed use self-signed certificates for Windows 10 by adding this DWORD "SelfSignedCertificates" to HKLM\Software\Policies\Microsoft\FVE. The value is originally not there, so simply add it, restart the PC and it should work. You can also use the PIV Manager GUI to create a certificate, it's easier than certreq.exe etc.

Cheers,
Gerhard

Statistics: Posted by TheRealSnafu — Fri Aug 19, 2016 6:52 am

]]> 2016-08-16T01:41:48+01:00 2016-08-16T01:41:48+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8880#p8880 <![CDATA[Re: [Question] Smartcard certificate creation]]>
https://www.comodo.com/home/email-secur ... ficate.php

I'm still trying to figure out how to import it onto my Neo, though.

Any instructions for that?

Statistics: Posted by Chrontius — Tue Aug 16, 2016 1:41 am

]]> 2016-05-06T07:37:38+01:00 2016-05-06T07:37:38+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8610#p8610 <![CDATA[Re: [Question] Smartcard certificate creation]]> T4cC0re wrote:

You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker.



What are the exact steps in doing that? I tried getting a certificate from them (using the generated by myself option as the other option gave me an error) and it didn't work. Am I missing something?

Statistics: Posted by genealogyxie — Fri May 06, 2016 7:37 am

]]> 2016-05-03T23:43:08+01:00 2016-05-03T23:43:08+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8597#p8597 <![CDATA[Re: [Question] Smartcard certificate creation]]> genealogyxie wrote:

The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10?



You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker.

Statistics: Posted by T4cC0re — Tue May 03, 2016 11:43 pm

]]> 2016-04-29T05:30:12+01:00 2016-04-29T05:30:12+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=8581#p8581 <![CDATA[Re: [Question] Smartcard certificate creation]]> Statistics: Posted by genealogyxie — Fri Apr 29, 2016 5:30 am

]]> 2015-09-15T07:30:41+01:00 2015-09-15T07:30:41+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=7803#p7803 <![CDATA[Re: [Question] Smartcard certificate creation]]>
HKLM\Software\Policies\Microsoft\FVE

And then added a new DWORD called “SelfSignedCertificates”, with a value of 1 to it.

Then, worked out I had to omit the following line from the request:

ProviderName = "Microsoft Smart Card Key Storage Provider"

By removing that line, when running "certreq -new certrequest.txt" at a command prompt, as well as signing the certificate, it allows it to be saved as a file instead of directly to the card. Then by accessing the MMC -> certificates snap in I can export the certificate as a .pfx, and import the certificate onto the NEO using the PIV manager.

Statistics: Posted by Kingbob — Tue Sep 15, 2015 7:30 am

]]> 2015-09-15T06:28:57+01:00 2015-09-15T06:28:57+01:00 https://forum.yubico.com/viewtopic.php?t=2031&p=7802#p7802 <![CDATA[[Question] Smartcard certificate creation]]>
[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

From here: https://technet.microsoft.com/en-us/library/dd875530(v=ws.10).aspx#BKMK_sscert

But when i do that, it prompts me to insert a smartcard, even though the NEO is plugged in, and the PIV manager can see it.
CCID is enabled on the NEO, Windows control panel shows the smart card reader installed as a "Microsoft Usbccid Smartcard Reader (WUDF)", and shows the smart card installed as an "identity Device (NIST SP 800-73 [PIV])", both of which as far as i can tell from reading documentation are correct.

card.jpg

But i get a prompt saying: "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate". This box shows the NEO as the reader and the correct identity device.

Am i missing something?


If i instead use the Yubikey PIV manager (1.0.2), click certificates, and click generate new key. Select a 2048bit self signed certificate, enter PIN and management key, it generates a new key in slot 91, and loads a self signed certificate. But if I then go to a bitlocker protected volume and try to use the smartcard, it says a certificate suitable for Bitlocker cannot be found on my smartcard.

Ive been through various guides, but cant find a solution.

Am i missing something?

Thanks.

Statistics: Posted by Kingbob — Tue Sep 15, 2015 6:28 am

]]>