Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:08 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sun Oct 16, 2016 6:10 pm 
Offline

Joined: Sun Oct 16, 2016 4:07 pm
Posts: 1
Dear All,

(first post here, hope I got the right forum)

I have troubles making Firefox recognize certificates stored in the PIV applet of my YubiKey-4.
Neither Google nor looking through the topics in this forum provided a solution.


I have a YubiKey-4 (YK4), PIV applet version 4.3.1 (see below for further system details), and followed the examples found here: https://developers.yubico.com/yubico-piv-tool/ to load two PKCS12 certificates and keys into the four slots available on the YK4. The certificates are from StartSSL and have been originally created in Firefox running on Ubuntu 16.04

yubico-piv-tool -a status shows the certificates as expected.

The YubiKey correctly shows up in Mac OS X KeyChain as "PIV-...". All loaded certificates are visible and shown as "valid". I can display certificate details in KeyChain as expected, see attachment #2.

Problem (1) (possibly expected behaviour):
Firefox does not see the YubiKey as visible in KeyChain. It does not show up under security (or crypto) modules.
Judging from Mozilla's bug tracker, this may be expected behaviour.

Problem (2):
Using the libykcs11 (as installed from here: https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/) I can get Firefox to at least list the YubiKey as a crypto module. I can even login to the key if (and only if) I insert the YK4 before I start Firefox (see attachment #1). However, no matter if logged in or not, none of the four certificates loaded into the PIV applet shows up in any of the certificate lists accessible in Firefox's certificate manager.

Question:
How can I (1) either make the certificates stored in the PIV applet of the YK4 visible, and usable for authentication purpose, in Firefox on Mac OS El Captain, using libykcs11 (or any other pkcs11 library)?
Or (2) make Firefox recognize certificates stored on a YK4 through the MacOS KeyChain system?

System details:
OS: MacOS 10.11.6 "El Captain" Note: Any suggestion to upgrade to MacOS Sierra will not be considered a solution. Sierra is not acceptable to me.
Firefox: 49.0.1
OpenSC: 0.16.0 (for MacOS El Captain)
SmartCardService: 2.1.2 (for OSX 10.11)
yubico-piv-tool-1.4.2-mac
yubikey-piv-manager-1.4.0-mac

Any hint is much appreciated


Attachments:
File comment: Firefox showing loaded yubikey crypto module
Firefox-crypto-modules.png
Firefox-crypto-modules.png [ 60.64 KiB | Viewed 1354 times ]
File comment: Screen shot: MacOS KeyChain with certificates on YubiKey-4
MacOSX-KeyChain-YubicoPIV.jpg
MacOSX-KeyChain-YubicoPIV.jpg [ 85.97 KiB | Viewed 1354 times ]
Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Jan 21, 2017 7:29 am 
Offline

Joined: Sat Jan 21, 2017 7:26 am
Posts: 1
Old post I know, but to get this working on firefox I had to install OpenSC and use their module in firefox
https://github.com/OpenSC/OpenSC/wiki/I ... ep-by-Step


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group