I'm just starting to use yubikeys and i bought a few keys YubiKey 4 for testing.... i have hit a couple of problems with them...they both seem easy to fix (Yubico can easily publish updated versions of the management tools for this) but the second one is a bit of a head-scratcher...
1) the Yubikey personalization tools and the PIV Manager (both GUI + CLI) won't recognize an inserted YubiKey if i disable the OTP or PIV function with Neo Manager - shouldn't they at least recognize the inserted key and tell me that OTP/PIV is disabled for that particular key?
2) when i configure the digital certificate slots with PIV Manager in ECC mode (P-256 or P-384), the digital certificates are not recognized by the Windows trust store - they do not appear under Internet Options - Content - certificates - Personal Certificates. Only RSA1024 and 2048 certificates are recognized by windows... ECC certificates are not recognized as Personal Certificates at all.
tested self-signed certificates:
sha256RSA - 1024 bits - is recognized as a personal certificate
sha256RSA - 2048 bits - is recognized as a personal certificate
sha256ECDSA - ECDSA_P256 - is NOT recognized by Windows 10 as an usable personal certificate for signing
sha256ECDSA - ECDSA_P384 - is NOT recognized by Windows 10 as an usable personal certificate for signing
RSA 4096 bits - is not even offered as an option by PIV Manager v1.2.1 when generating certificate requests or self-signed certificates, even though RSA 4096 is supposedly supported by Yubikey 4....
Since Yubikey 4 supports RSA 4096 bits, can you please add it as an option for generating certificates into PIV Manager or is RSA 4096 supported only with externally-generated and imported certificates?
Also, for the operating system part...does anyone know why sha256ECDSA ECDSA_P256/ECDSA_P384 is not recognized in windows for PIV Certificates for signing?
Windows recognizes them properly when i export the certificates as .CRT files but won't show them when configured for PIV/SmartCard signing. Is there a KB fix or a TechNet article available from Microsoft for enabling this?
setup info:
-firmware version on my Yubikeys 4 is v4.2.7, ordered on january 1st 2016 and delivered this week.
-PIV manager version used is https://developers.yubico.com/yubikey-piv-manager/Releases/yubikey-piv-manager-1.2.1-win.exe
which has a digital signature timestamp of January 4th, 2016.
SHA-1 checksum of that file: 21976d4fda92209729a1409e35d0b665b3a10e4d
SHA-256: 490f749497bd424cb40fbe8ad8b14d7a2f44dcd89a793767f457bd51e32784e0
-OS version of my testing system: Windows 10 professional x64 1511 with all updates appliedStatistics: Posted by Aditza — Sat Jan 09, 2016 3:23 pm
]]>