Yubico Forum

Hello all,

I have completed the instructions here: https://developers.yubico.com/yubico-pi ... icate.html

Everything was successful according to the command line utility. Used a copy of a template in Windows Certificate Services from my smart card logon template that works for my traditional smart cards.

However, RDP, Windows logon, etc all say that I do not have a valid certificate on my Yubikey. Please help!

Hello,

there is a very large number of possible answers this this thread. Most probably something is wrong in your AD/WinServ configuration.

What server version are you using?

I have successfully tested it on Windows Server 2012 RC*

_________________
-Tom

Workstation is Windows 8.1. I have tried to authenticate against Windows Server 2012 and 2012 R2.

One likely possibility is the certificate template configured incorrectly, although I'm using the same exact template that I use for my HID Crescendo smart cards. What CSP do you have configured?

Is it not that windows is expecting to find your credentials in the Subject Alternate Name (specifically your UPN)?

According to Microsoft the Subject field should contain a DN: "This field is a mandatory extension, but the population of this field is optional."

So, unless you've figured out a way to include a SAN I don't think this will work?

Confirmed in my environment at least. As soon as you get the SAN loaded properly it works. I can now log into Windows using the cert. You can inject a SAN as a switch to the certreq command as follows:

certreq -submit -attrib "CertificateTemplate:templateToUse" -attrib "SAN:upn=user@domain&email=null@somewhere.com" .\request.csr cert.crt

Change the values as appropriate.

The template on the Certificate Authority is configured to set the SAN. I also confirmed that the cer issued by the CA contains it. See screenshots

What CSP are you allowing/specifying in your template? Thats the only thing I can think of that is different.

Resolved my issue by running Set-Chuid with version 0.1.1. Clearly 0.1.0 had a bug.