Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:39 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sat Jan 09, 2016 3:23 pm 
Offline
User avatar

Joined: Sat Jan 09, 2016 1:59 pm
Posts: 7
Hello,

I'm just starting to use yubikeys and i bought a few keys YubiKey 4 for testing.... i have hit a couple of problems with them...they both seem easy to fix (Yubico can easily publish updated versions of the management tools for this) but the second one is a bit of a head-scratcher...

1) the Yubikey personalization tools and the PIV Manager (both GUI + CLI) won't recognize an inserted YubiKey if i disable the OTP or PIV function with Neo Manager - shouldn't they at least recognize the inserted key and tell me that OTP/PIV is disabled for that particular key?

2) when i configure the digital certificate slots with PIV Manager in ECC mode (P-256 or P-384), the digital certificates are not recognized by the Windows trust store - they do not appear under Internet Options - Content - certificates - Personal Certificates. Only RSA1024 and 2048 certificates are recognized by windows... ECC certificates are not recognized as Personal Certificates at all.

tested self-signed certificates:
sha256RSA - 1024 bits - is recognized as a personal certificate
sha256RSA - 2048 bits - is recognized as a personal certificate
sha256ECDSA - ECDSA_P256 - is NOT recognized by Windows 10 as an usable personal certificate for signing
sha256ECDSA - ECDSA_P384 - is NOT recognized by Windows 10 as an usable personal certificate for signing

RSA 4096 bits - is not even offered as an option by PIV Manager v1.2.1 when generating certificate requests or self-signed certificates, even though RSA 4096 is supposedly supported by Yubikey 4....

Since Yubikey 4 supports RSA 4096 bits, can you please add it as an option for generating certificates into PIV Manager or is RSA 4096 supported only with externally-generated and imported certificates?


Also, for the operating system part...does anyone know why sha256ECDSA ECDSA_P256/ECDSA_P384 is not recognized in windows for PIV Certificates for signing?
Windows recognizes them properly when i export the certificates as .CRT files but won't show them when configured for PIV/SmartCard signing. Is there a KB fix or a TechNet article available from Microsoft for enabling this?

setup info:
-firmware version on my Yubikeys 4 is v4.2.7, ordered on january 1st 2016 and delivered this week.

-PIV manager version used is https://developers.yubico.com/yubikey-piv-manager/Releases/yubikey-piv-manager-1.2.1-win.exe
which has a digital signature timestamp of January 4th, 2016.
SHA-1 checksum of that file: 21976d4fda92209729a1409e35d0b665b3a10e4d
SHA-256: 490f749497bd424cb40fbe8ad8b14d7a2f44dcd89a793767f457bd51e32784e0

-OS version of my testing system: Windows 10 professional x64 1511 with all updates applied


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group