Yubico Forum

Hi all,

I've just got my Yubikey 4 and I'm experimenting with authenticating to Windows with a smart card in Active Directory.

One thing I have noticed, is that if I have a certificate in a slot (let's say 9a) and then delete the certificate/key, generate a new one and import a new certificate, Windows still sees the old certificate.

I've tried going into the Personal User Certificate Store on my Windows Account and removing all of the certificates there that are from the Yubikey, but when I re-insert it, the old ones get added again and the new ones are no-where to be found.

I get the same behaviour with Mac OSX, but if I run "rm -rf /var/db/TokenCache/tokens/*" and re-insert the Yubikey, it picks up all the new certificates.

So my question is, is there a similar way on Windows to clear the "cache" so that when I re-insert my Yubikey, it picks up the new certificates? At the moment I'm having to reset my Yubikey by entering an incorrect PIN and PUK enough times, otherwise it doesn't pick up new certs.

Cheers

Windows caches the key container map and certificates in HKLM/Software/Microsoft/Cryptography/Calais[Cache]. There are essentially two different solutions that should work for you:

(1) Completely reset the the YubiKey using YubiKey PIV Manager, and then provision again. This will set a new CHUID, which is the reason why Windows currently sees the old certificate.

(2) Stop the "Smart Card" and "Certificate Propagation" services (if you have an inserted smart card, they will probably be running, and may be difficult to successfully stop), delete the cache value from the registry and reboot. This should work as well.