Yubico Forum https://forum.yubico.com/ |
|
[QUESTION] Windows AD CS with root CA key on YK4 https://forum.yubico.com/viewtopic.php?f=35&t=2537 |
Page 1 of 1 |
Author: | Marecki [ Mon Jan 23, 2017 4:23 pm ] |
Post subject: | [QUESTION] Windows AD CS with root CA key on YK4 |
I wonder, has anyone here ever tried to use a YubiKey 4 in PIV mode to store the root CA key for Windows Active Directory Certificate Services, and if so could I find the procedure documented somewhere? the "Configuring a CA for Smart Card Authentication" section of YubiKey PIV Deployment Guide says nothing about what cryptographic provider to use, all the documentation I have seen so far seems to assume only keys other than the root CA to be generated in YubiKeys, and when I simply tried to choose either the standard Windows SmartCard Store cryptographic provider or the OpenSC CSP Windows informed me the card was read-only. Thank you in advance for any suggestions! |
Author: | Mathieulh [ Wed Feb 08, 2017 4:16 pm ] |
Post subject: | Re: [QUESTION] Windows AD CS with root CA key on YK4 |
Marecki wrote: I wonder, has anyone here ever tried to use a YubiKey 4 in PIV mode to store the root CA key for Windows Active Directory Certificate Services, and if so could I find the procedure documented somewhere? the "Configuring a CA for Smart Card Authentication" section of YubiKey PIV Deployment Guide says nothing about what cryptographic provider to use, all the documentation I have seen so far seems to assume only keys other than the root CA to be generated in YubiKeys, and when I simply tried to choose either the standard Windows SmartCard Store cryptographic provider or the OpenSC CSP Windows informed me the card was read-only. Thank you in advance for any suggestions! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Why not import the pem/pfx to the Yubikey using piv-tool or the Yubikey PIV Manager? For some reason the yubikey PIV applet reports as read only, and neither the Microsoft or opensc stacks can write to PIV slots, so certificates have to be imported/generated using Yubikey's own set of tools. It would be good to know why Yubikey won't let applications overwrite its PIV slots when other competitors (such as PIVkey) would, using non standard APIs can be rather cumbersome. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJYmzYmAAoJEKa4nBz3AlIIYb8IAJqFIt6NENmOLfg3rkd3zNQZ /NUJDVq0/ChiRXwpt//jkb4F0AVL2nQJFEOu5JFVRXyRE/W7u6SHcmw797fT3/OK zDsuO68fioUKgpoQiL0op2OyeG/5TxcWDpAQYoEFSFOR2NxUMF3aUyIE53BbDcRK oljhmSBl5gEqtdvEwGQYMfDwkXe2e7+q2pFkAjDJqm97kRW5cWQAbaKVCE950N1K BcyHxdzsb8dzNBAujUkc/dTccC+x+gEPe2Ku/iGBoFRB8v2k6ARc1XEAy20HPpNJ Fj8hHbGshAwNUZ1moyKet85JW+nU5TNhxIK+D4aQdFqoAdCyAvpJwiWxI/n1K24= =84bS -----END PGP SIGNATURE----- |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |