Yubico Forum

Hello all!

Strange behavior on my Yubikey slot 9c certificate usage.

I exported my Windows Enterprise CA (Intermediate) personal certificate from certmgr.msc and imported it with Yubikey PIV Tool to slot 9c. Then deleted the certificate from certmgr.msc and verified I couldn't login to our VPN (requires certificate) or read entrypted (Outlook S/MIME) emails. Inserted the key and could (after entering pin) read the encrypted emails, connect to vpn etc. Then I removed it and every time I clicked on an encrypted mail it was asking for the card... as expected. All fine you'll say?

Now the strange part... next day, after a reboot (if that matters, not sure it does)... I click on an encrypted email and it opens up... without the card in the slot. I look in certmgr.msc... and sure as hell... certificate is back! I delete it... everything works back with the cert on the key as expected... but the certmgr.msc reports that it has the key I just deleted... but still asks for the "Card" when I click on encrypted stuff... like the private key is on the card but the cert is there... but the icon (and details of it) on certmgr... still mention that "You have a private key that corresponds to the Certificate" even when my Yubikey4 is out... Since it works though... I don't pay much attention to it....

Next day, another reboot later... I can read the encrypted emails without any problem... without Yubikey4 connected...

Please... assist... I think I'm going crazy here... why does the certificate reappear on certmgr.msc every time?

Andreas

You have to delete it with yubico-piv-tools action delete-certificate.
https://developers.yubico.com/yubico-piv-tool/

Hm... thanks for the tip... but the whole issue is that it keeps re-appearing in certmgr.msc... after I delete it from it... like the OS takes the key+cert and installs it on the OS certmgr... instead of it just remaining on the Yubikey4... 9c slot.

A successful usage case would be: if Yubikey is not in slot, no-one can sign or read encrypted mails with the certificate on the slot...

What's happening is: After the 1st insertion of Yubikey + PIN unlock the certificate is stored on the local PC's certmgr... so after 1st use, the usb token isn't needed for a succesfull sign/read operation (tested it 2-3 times now... it's actually installed on the OS on first use).

Please advise!

Any takers on this?

unfortunately the behavior you are seeing is due to Microsoft Windows using cached credentials you can read more about this behavior at the following link.

https://technet.microsoft.com/en-us/lib ... 94565.aspx