Yubico Forum
https://forum.yubico.com/

ADCS certificate enrollment, native Windows 7 functionality?
https://forum.yubico.com/viewtopic.php?f=26&t=1873		 Page 1 of 1
Author:  OverkillTASF [ Mon May 11, 2015 7:09 pm ]
Post subject:  ADCS certificate enrollment, native Windows 7 functionality?
I have received a Yubikey NEO to pilot a deployment for admin accounts in an Active Directory domain. I was hoping I could deploy these with minimal installation of additional software on users' machines.

ADCS provides a URL, https://certificateauthority.domain.int/CertSrv, where users can enroll, using their AD credentials, for certificates. Smart card functionality is included here. I have enabled CCID on the NEO, yet when it comes time to enroll for a certificate, Windows reports that my NEO is read-only. I have used the PIV manager to reset the PIN and management PIN but don't seem to see an option to unlock it so that Windows' native Smart Card services can enroll for a new smart card cert.

Am I missing something?
Author:  Tom2 [ Tue May 12, 2015 9:28 am ]
Post subject:  Re: ADCS certificate enrollment, native Windows 7 functional
https://developers.yubico.com/PIV/Introduction/

https://developers.yubico.com/PIV/Tools ... nager.html

https://developers.yubico.com/yubico-pi ... icate.html
Author:  OverkillTASF [ Tue May 12, 2015 7:02 pm ]
Post subject:  Re: ADCS certificate enrollment, native Windows 7 functional
Thanks. I had seen this before (which is how I managed to change the PIN), and it certainly provides sufficient information for me to import a Windows certificate, but I was hoping that users would be able to do this themselves without any additional software. I apologize for not knowing the names of the subsystems involved, but with previous smart cards, users could go to the web interface on our issuing CA and request a smart card certificate. Their inserted smart card would show up, and they'd have to enter their PIN (Or administrator PIN) to enroll and get the private keys loaded on their smart card. With the Yuibkey, I get the popup shown in the attached file.

Attachments:
2015-05-12 13_56_44-Microsoft Active Directory Certificate Services.png
2015-05-12 13_56_44-Microsoft Active Directory Certificate Services.png [ 28.2 KiB | Viewed 3155 times ]
Author:  Tom2 [ Wed May 13, 2015 9:09 am ]
Post subject:  Re: ADCS certificate enrollment, native Windows 7 functional
OpenSC does not support CMC format.

For self- enrollment use the PIV MANAGER GUI. It is extremely simple and you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.
Author:  OverkillTASF [ Mon Jun 15, 2015 6:52 pm ]
Post subject:  Re: ADCS certificate enrollment, native Windows 7 functional
Tom2 wrote:
OpenSC does not support CMC format.


Selecting PKCS didn't make a difference.

Quote:
For self- enrollment use the PIV MANAGER GUI.

This ended up working, just ran into trouble initially because I was using the Display Name and not the internal name of the certificate template.

Quote:
you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume editing the GUI is an appdev activity? I am just a lowly server engineer. :-)

Quote:
I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.

Not today. We're still trying to determine how this process is going to work out.

Thanks Tom2, you did provide useful information and I think I can at least write up documentation on using PIV Manager.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/