Yubico Forum

We currently try Neo in a Proof of Concept project.
The aim is that the domain user can use the Neo to login on Windows 7 workstations together with Windows 2012 AD Enterprise CA.
Unfortunately we get it not to work with a enroll agent and we want to here how other solved this problem.

Is there a way to get Neo as a smartcard running in a Windows CA world?
https://developers.yubico.com/yubico-piv-tool/Windows_certificate.html
We think that we need a smardcard and not a user template like the example above.
It seems to be Microsoft problem in combination of the Neo tools.

Setup
Our neo's have the firmware version 3.3.6 , Set Mode to CCID + OTP Mode-82
We used the Smartcard Template "SmartCard Logon" with
Propose: Signature and Smartcard Logon
Number of authorizied signatures:1
Application Policy --> Certificate Request Agent
An certificate for enrollment user-agent is created.
Enroll of this certificate type on behalf of other users is working!

Steps:
yubico-piv-tool -s 9a -a generate –o public.pem
Successfully generated a new private key.

Rem Like certreq -new inf.txt inf.req with Pin Prompt Support
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate -S "/CN=bob/CN=Users/DC=mic/DC=workshop/DC=zz/" -i public.pem -o request.csr
Successfully verified PIN.
Successfully generated a certificate request.

The next step sign with the enrollment signature fails.
Normally a prompt for the Enrollment Agent in the Cert Store appears.
certreq -sign request.csr request2.csr
Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)
request.csr
Since openssl don't support the other format CMC we can't test it.

Rem Request to Windows CA
certreq -submit -attrib "CertificateTemplate:SmartcardLogon2" request.csr cert.crt
Without sign the certificate we got an error as expected because of the missing authority signature from the enrollment agent.
Certificate not issued (Denied) Denied by Policy Module The request is missing required signature policy information. 0x80094809 (-2146875383)
Certificate Request Processor: The request is missing required signature policy information. 0x80094809 (-2146875383)
Denied by Policy Module

certreq -submit -attrib "CertificateTemplate:SmartCard Logon" request.csr cert.crt

SmartCard Logon templates needs to be properly configured, e.g. key size 2048

did this help?

No it's a problem of Microsoft's certreq tool.
Creating a certificate request in CMC format can be signed with the enrollment agent.
But openssl doesn't support this format.

Aim is to have a smardcard enrollment station. An administrator can act on behalf of a user to request and install a Smart Card Logon certificate on the user's smart Card.

Is there any commercial minidriver for Neo available?

Goldfinger, I am no expert so forgive me if my next advice makes no sense.

But shouldn't you be able to submit a PKCS10 request (https://tools.ietf.org/html/rfc2986 ) and specify on the certificate template the group and the certificate manager approval ?

For enrollment on behalf of other users we need a pkcs10 and signer certificate see the picture above.


Some links for Windows environments:
Enrollment
http://secadmins.com/index.php/enroll-for-a-smart-card-certificate-on-behalf-of-other-users/

Powershell Code
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0%2Dbfed%2D4143%2D9eea%2Df521167d287c&ID=77

I can't get the opensc Windows minidriver to work together with Yubikon Neo.
But I can't create the private key on Neo or transfer the public certificate.
Did someone have success?