Yubico Forum
https://forum.yubico.com/

YubiKey 4 teething problems - weird issues + PIV problems
https://forum.yubico.com/viewtopic.php?f=16&t=2156
Page 1 of 1

Author:  Aditza [ Sat Jan 09, 2016 3:23 pm ]
Post subject:  YubiKey 4 teething problems - weird issues + PIV problems

Hello,

I'm just starting to use yubikeys and i bought a few keys YubiKey 4 for testing.... i have hit a couple of problems with them...they both seem easy to fix (Yubico can easily publish updated versions of the management tools for this) but the second one is a bit of a head-scratcher...

1) the Yubikey personalization tools and the PIV Manager (both GUI + CLI) won't recognize an inserted YubiKey if i disable the OTP or PIV function with Neo Manager - shouldn't they at least recognize the inserted key and tell me that OTP/PIV is disabled for that particular key?

2) when i configure the digital certificate slots with PIV Manager in ECC mode (P-256 or P-384), the digital certificates are not recognized by the Windows trust store - they do not appear under Internet Options - Content - certificates - Personal Certificates. Only RSA1024 and 2048 certificates are recognized by windows... ECC certificates are not recognized as Personal Certificates at all.

tested self-signed certificates:
sha256RSA - 1024 bits - is recognized as a personal certificate
sha256RSA - 2048 bits - is recognized as a personal certificate
sha256ECDSA - ECDSA_P256 - is NOT recognized by Windows 10 as an usable personal certificate for signing
sha256ECDSA - ECDSA_P384 - is NOT recognized by Windows 10 as an usable personal certificate for signing

RSA 4096 bits - is not even offered as an option by PIV Manager v1.2.1 when generating certificate requests or self-signed certificates, even though RSA 4096 is supposedly supported by Yubikey 4....

Since Yubikey 4 supports RSA 4096 bits, can you please add it as an option for generating certificates into PIV Manager or is RSA 4096 supported only with externally-generated and imported certificates?


Also, for the operating system part...does anyone know why sha256ECDSA ECDSA_P256/ECDSA_P384 is not recognized in windows for PIV Certificates for signing?
Windows recognizes them properly when i export the certificates as .CRT files but won't show them when configured for PIV/SmartCard signing. Is there a KB fix or a TechNet article available from Microsoft for enabling this?

setup info:
-firmware version on my Yubikeys 4 is v4.2.7, ordered on january 1st 2016 and delivered this week.

-PIV manager version used is https://developers.yubico.com/yubikey-piv-manager/Releases/yubikey-piv-manager-1.2.1-win.exe
which has a digital signature timestamp of January 4th, 2016.
SHA-1 checksum of that file: 21976d4fda92209729a1409e35d0b665b3a10e4d
SHA-256: 490f749497bd424cb40fbe8ad8b14d7a2f44dcd89a793767f457bd51e32784e0

-OS version of my testing system: Windows 10 professional x64 1511 with all updates applied

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/