Yubico Forum

PIV Manager 1.3.0 no connection to CA
Page 1 of 1

Author:  maggis [ Mon Sep 05, 2016 7:43 am ]
Post subject:  PIV Manager 1.3.0 no connection to CA

On PIV Manager 1.2.1 I can see the CA that exists in the Active Directory domain. But PIV Manager 1.3.0 (1.3.0b download) shows instead:
"You currently do not have a connection to a Certification Authority"

Why does the PIV Manager 1.3.0 not see my CA?

The YubiKey is YubiKey NEO with firmware 3.4.9. (Edit: earlier I had incorrectly stated it is YubiKey 4, it is YubiKey NEO.)

PIV Manager 1.2.1 can connect to the CA but unfortunately it cannot successfully request a certificate. The error with incorrect English is:
"Certificate is to large to fit in buffer.". It would be very useful if the tool would show how large the certificate is and how large is the buffer. It is surprising that a 2048-bit RSA key does not fit on it so PIV Manager could at least show how big it is.

In general, the PIV Manager tool seems to suck quite hard... Is YubiKey supposed to work with Windows tools? Should I be able to use the standard "Enroll on behalf of user" to load certificates to YubiKey, or is the only way to use the PIV Manager?

Author:  ChrisHalos [ Mon Sep 05, 2016 5:45 pm ]
Post subject:  Re: PIV Manager 1.3.0 no connection to CA

I would recommend starting here - https://www.yubico.com/wp-content/uploa ... _FINAL.pdf

Quick answer? Yes, you can use enroll on behalf of (either with CSIS Enrollment Station or manually from a Windows Server), PIV Manager, or PIV Tool. The full PIV for smartcard login document sent can be found on https://www.yubico.com/support/documentation/

The section "USING YUBIKEY PIV FOR SMART CARD LOGIN" is intended to be read in order when trying to decide the best way to implement.

Author:  maggis [ Wed Sep 07, 2016 3:22 pm ]
Post subject:  Re: PIV Manager 1.3.0 no connection to CA

I have checked the EnrollmentStation. I suggest to create a "release" in github, it would be easier for regular Windows users who do not care about git. It seems the repo is not updated so often so that should not be inconvenient.

I'm not sure if you ignored the point of the thread (possible bug in PIV Manager 1.3.0?) on purpose, so I'll explain. Almost everything works: the PIV Manager 1.2.1 can be used to request certificates (which work everywhere) but version 1.3.0 does not find any CA (there are multiple for various purposes, all in working condition).

In fact I would prefer to use the stock Windows tools for management but they do not seem to support the management key functionality. Using the "Enroll on behalf of" functionality in Windows certificate management detects the YK but has an error (something about possibly missing driver), which is why I asked if it "should" even work without the custom tools.

I will probably just use EnrollmentStation due to the management key.

I do have to criticize Yubico here a bit. The YK seems a solid device enough and I have no complaints, but:
The size limitation per certificate is absent from almost all PR for this device. I hope that is not intentional. If I have understood correctly, it seems a 2048-bit certificate may sometimes not fit on the YK NEO. Now I cannot find the size information anywhere again - should have saved it somewhere - all/most the material for YK NEO simply say "2048 RSA key" or talk about 2048 bits. There is a table with the actual supported certificate maximum sizes somewhere buried in the Yubico website..

https://developers.yubico.com/PIV/Intro ... d_PIV.html - "The maximum size of stored objects is 2005 bytes."
I might have seen a table somewhere for different YKs and the numbers were different.

Author:  maggis [ Thu Sep 08, 2016 10:33 am ]
Post subject:  Re: PIV Manager 1.3.0 no connection to CA

Enrolling with EnrollmentStation gives an error.

I can enroll myself just fine with PIV Manager 1.2.1. The resulting certificate stored on the YK works just fine for login. With EnrollmentStation the CA does issue the certificate correctly: the enrolled certificate is shown in "Issued Certificates" list on the CA. But EnrollmentStation has an error "Unable to import a certificate", screenshot is attached. I wonder if this is again caused by size of the certificate.

Is there a log somewhere for ES? The error is not very helpful.

After playing around with the aforementioned YK that gave an error, enrolling with ES worked. I take another YK NEO from the tray (never used), and it does not work again. CCID is enabled. Do I need to reset this somehow first?? It is not mentioned anywhere, CSIS_Enrollment_Station_Guide_en.pdf page 17 says simply:
"1. Insert a YubiKey into a USB port of your computer."

File comment: CSIS Enrollment Station error
csis-err.png [ 56.83 KiB | Viewed 3193 times ]

Author:  ChrisHalos [ Fri Sep 09, 2016 12:23 am ]
Post subject:  Re: PIV Manager 1.3.0 no connection to CA

Regarding your previous post...

Yes, it's a bug that will be resolved in 1.3.1 - https://developers.yubico.com/yubikey-p ... Notes.html (1.3.0b was for an issue that cause the installer to fail on some Windows builds).

No YubiKey-specific minidriver for PIV currently exists (although we are working on one), so working directly from certmgr will certainly be hit-or-miss.

As for the certificate size, both places are wrong (although close). The buffer size on the NEO and on the YubiKey 4 (firmware 4.2.6 only) is 2048 bytes, while the buffer on the YubiKey 4 version 4.2.7 and newer is 3072 bytes. The buffer size doesn't mean that the object length can be 2048/2072, however. The following space has to be deducted to determine the total available size for the cert you're loading:

5 bytes for APDU header
5 bytes for the ID header
4 bytes for object header
4 bytes for certificate header
5 bytes for certificate postfix

So essentially, NEO and YK4 (4.2.6) = 2025 bytes, YK4 (4.2.7+) = 3049 bytes

The certificate itself contains several fields, such as a subject, an issuer, validity dates, a public key, a signature, etc. All this needs to fit in the available space specified above. The public key for an RSA 2048 key is 256 bytes (not including a few bytes of overhead for the encoding). This is the largest public key for any of the certs that our implementation supports, so that leaves 1769 bytes for the rest of the certificate. on a NEO. The signature size depends on the key type of the CA. If an RSA 4096 key is chosen for the CA, the signature would be 512 bytes. That now leaves 1257 bytes of space for things like the subject and issuer, validity period, any extensions that are used, information about the type of the public key and signature used. These things all add up, and if you start adding additional stuff like URLs to revocation services and so on it's easy to go over the limit. What ends up in the cert is ultimately determined by the CA. If the certificate is too large, the application should specify how large it is.

Regarding your most recent post, if you initialized it with PIV Manager, yes, you need to reset it because you probably set the Management Key to be derived from the PIN you generated. The CSIS Enrollment Station is expecting an unprovisioned YubiKey with default Management Key, PIN, and PUK. If you haven't used the YubiKey yet, as long as CCID is enabled, there shouldn't be an issue (unless the certificate is too large, as discussed above).

Author:  maggis [ Fri Sep 09, 2016 2:36 am ]
Post subject:  Re: PIV Manager 1.3.0 no connection to CA

Thank you very much Chris. This information is really helpful. It should be easier to find it.

I already have everything working but I needed to reduce the amount of data in the certificate. To be more precise, the CDP/AIA settings were changed since the long strings were an obvious place to cut down the size. I am not too happy about that, since I would prefer to have custom CDP and AIA to make sure validation works even for road warriors who might not have LDAP access 100% of time.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group