Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:37 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Fri Feb 24, 2017 6:52 pm 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
Hi,
I just (re-)tried using Yubikeys with PIV applet in our company. We are also setting up a proper CA so this seemed appropriate.
Many of our staff use Macbooks, and so do I.
It seems like PIV card support in macOS has matured somewhat - for example it's now possible to unlock the keychain using the key in 9D slot.

However I hit a big problem with emails.

If I import a certificate in the 9A slot, then I can use that for signing emails, SSH, X509 auth and so on. This seems to work quite well.
The problems begin when i try encryption. Encrypting itself works just fine. But I can't decrypt anything when the key is in 9A slot.
The obvious solution would be to put the cert in both 9A and 9D - but then it just stops working in macOS (not sure if that's a bug or a feature, macOS says something like "0 valid slots found" or similiar)
If I _only_ put the cert in 9D then I can encrypt/decrypt, but can no longer sign.
I tried other combinations (9C+9D, 9A+9C, 9A+9C+9D) and nothing works. Some combinations seem to work but sending either a signed or encrypted email results in Mail.app just blackholing it - it seems to send but it never does, and it doesn't even ask for PIN.

AFAIK the "proper" solution is to use separate certificates for Authentication and signature (=9A) and Encryption (=9D). I generated two such certificates with separate Key Usage and Extended Key usages, put one in 9A and the other (for encryption) in 9D and it seems to work flawlessly, as expected.... almost.
The problem with that is: With a single certificate all someone needs to do is send a signed message, and the recipient can reply with an encrypted message - he now has the certificate of the recipient from the signature.
But with dual certificates there's no "easy" way to do this except exporting the other certificate and importing it manually.

What is the proper solution there? Do I have to deploy some sort of directory (LDAP) service? Seems a bit overkill.

Or is Apple to blame? Should putting the same cert with all key usages in two slots "just work"?

Thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Apr 03, 2017 5:34 pm 
Offline

Joined: Mon Apr 03, 2017 4:53 pm
Posts: 5
zviratko wrote:
Hi,
Or is Apple to blame? Should putting the same cert with all key usages in two slots "just work"?


Isn't the an option to configure which certificate to use?

We put a certificate in 9a only and selected it for signing and encryption in the mailer configuration. (Outlook 2013 + Windows).


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot], Heise IT-Markt [Crawler] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group