Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:49 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Tue Sep 15, 2015 6:28 am 
Offline

Joined: Tue Sep 15, 2015 6:09 am
Posts: 2
I've got a new NEO which i want to use as a smartcard for Bitlocker on windows 7 64bit. Following a Microsoft guide on certificate creation using certreq.exe i've tried to create a certificate with the following parameter file:

[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

From here: https://technet.microsoft.com/en-us/library/dd875530(v=ws.10).aspx#BKMK_sscert

But when i do that, it prompts me to insert a smartcard, even though the NEO is plugged in, and the PIV manager can see it.
CCID is enabled on the NEO, Windows control panel shows the smart card reader installed as a "Microsoft Usbccid Smartcard Reader (WUDF)", and shows the smart card installed as an "identity Device (NIST SP 800-73 [PIV])", both of which as far as i can tell from reading documentation are correct.

Attachment:
card.jpg
card.jpg [ 45 KiB | Viewed 5991 times ]


But i get a prompt saying: "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate". This box shows the NEO as the reader and the correct identity device.

Am i missing something?


If i instead use the Yubikey PIV manager (1.0.2), click certificates, and click generate new key. Select a 2048bit self signed certificate, enter PIN and management key, it generates a new key in slot 91, and loads a self signed certificate. But if I then go to a bitlocker protected volume and try to use the smartcard, it says a certificate suitable for Bitlocker cannot be found on my smartcard.

Ive been through various guides, but cant find a solution.

Am i missing something?

Thanks.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 15, 2015 7:30 am 
Offline

Joined: Tue Sep 15, 2015 6:09 am
Posts: 2
After finding a guide on certificate creation for smartcards on a rival products website, and doing some experimentation, i discovered that I needed to add the following registry key to enable self-signed certificates:

HKLM\Software\Policies\Microsoft\FVE

And then added a new DWORD called “SelfSignedCertificates”, with a value of 1 to it.

Then, worked out I had to omit the following line from the request:

ProviderName = "Microsoft Smart Card Key Storage Provider"

By removing that line, when running "certreq -new certrequest.txt" at a command prompt, as well as signing the certificate, it allows it to be saved as a file instead of directly to the card. Then by accessing the MMC -> certificates snap in I can export the certificate as a .pfx, and import the certificate onto the NEO using the PIV manager.


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 29, 2016 5:30 am 
Offline

Joined: Wed Apr 27, 2016 11:44 pm
Posts: 7
The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10?


Top
 Profile  
Reply with quote  
PostPosted: Tue May 03, 2016 11:43 pm 
Offline

Joined: Tue May 03, 2016 11:09 pm
Posts: 6
genealogyxie wrote:
The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10?



You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 06, 2016 7:37 am 
Offline

Joined: Wed Apr 27, 2016 11:44 pm
Posts: 7
T4cC0re wrote:


You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker.



What are the exact steps in doing that? I tried getting a certificate from them (using the generated by myself option as the other option gave me an error) and it didn't work. Am I missing something?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 16, 2016 1:41 am 
Offline

Joined: Mon Aug 15, 2016 5:37 am
Posts: 5
I got a free S/MIME cert from Comodo, and it was all of ten minutes until I had encrypted mail set up on my macbook.

https://www.comodo.com/home/email-secur ... ficate.php

I'm still trying to figure out how to import it onto my Neo, though.

Any instructions for that?


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 19, 2016 6:52 am 
Offline

Joined: Wed Aug 03, 2016 1:26 pm
Posts: 5
Hi,
Quote:
You could try getting a free S/MIME cert from StartSSL

those StartSSL S/MIME certificates didn't work for Bitlocker for me. But you can indeed use self-signed certificates for Windows 10 by adding this DWORD "SelfSignedCertificates" to HKLM\Software\Policies\Microsoft\FVE. The value is originally not there, so simply add it, restart the PC and it should work. You can also use the PIV Manager GUI to create a certificate, it's easier than certreq.exe etc.

Cheers,
Gerhard


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 19, 2016 6:57 am 
Offline

Joined: Wed Aug 03, 2016 1:26 pm
Posts: 5
Hi again,
Quote:
I'm still trying to figure out how to import it onto my Neo, though.

I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO.

Regards,
Gerhard


Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 21, 2016 4:35 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
Since you seem to be using NEO in PIV mode, you need to fully initialize the token.
Code:
yubico-piv-tool
has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something like
Code:
yubico-piv-tool -a set-chuid -a set-ccc


Please post here it that helped.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 19, 2016 3:24 am 
Offline

Joined: Mon Aug 15, 2016 5:37 am
Posts: 5
TheRealSnafu wrote:
Hi again,
Quote:
I'm still trying to figure out how to import it onto my Neo, though.

I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO.

Regards,
Gerhard
So much easier with the GUI utility! Thank you.

mouse008 wrote:
Since you seem to be using NEO in PIV mode, you need to fully initialize the token.
Code:
yubico-piv-tool
has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something like
Code:
yubico-piv-tool -a set-chuid -a set-ccc


Please post here it that helped.
I'm disappointed that this isn't in the GUI PIV tool. Also, I'm not sure how to get the CLI tool to run. I'll fiddle with it, but if you have advice, I'd appreciate it.

Is there any software I'll need - Centrify Express or something like it - to pass the certificate on the Yubikey to Apple Mail?

Edit: When I go to the directory, and type in "yubico-piv-tool" I get the following:
Code:
computer:bin user$ yubico-piv-tool
-bash: yubico-piv-tool: command not found


When I drag the executable directly to the terminal window, I get this:
Code:
computer:bin user$ /Users/user\ 1/Downloads/yubico-piv-tool-1.4.2-mac/bin/yubico-piv-tool -s 9c -a set-chuid
Failed authentication with the application.


I've found it - from the PDF:
Quote:
Failed authentication with the application
This error message occurs when authentication with the management key fails. If you previously reset the management key, be sure you provide the new management key with the -k switch in every command line where YubiKey authentication is required.
This error also occurs if the PIN is required and is typed incorrectly.
For example:
yubico-piv-tool -a change-pin -P 123456 -N $pin -k
010203040506070801020304050607080102031234597899
where 010203040506070801020304050607080102031234597899 is the new management key.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group