Yubico Forum
https://forum.yubico.com/

[Q?] How to use YK4 PIV certificates in Firfox, MacOS ElCapt
https://forum.yubico.com/viewtopic.php?f=35&t=2458
Page 1 of 1

Author:  BjoKa [ Sun Oct 16, 2016 6:10 pm ]
Post subject:  [Q?] How to use YK4 PIV certificates in Firfox, MacOS ElCapt

Dear All,

(first post here, hope I got the right forum)

I have troubles making Firefox recognize certificates stored in the PIV applet of my YubiKey-4.
Neither Google nor looking through the topics in this forum provided a solution.


I have a YubiKey-4 (YK4), PIV applet version 4.3.1 (see below for further system details), and followed the examples found here: https://developers.yubico.com/yubico-piv-tool/ to load two PKCS12 certificates and keys into the four slots available on the YK4. The certificates are from StartSSL and have been originally created in Firefox running on Ubuntu 16.04

yubico-piv-tool -a status shows the certificates as expected.

The YubiKey correctly shows up in Mac OS X KeyChain as "PIV-...". All loaded certificates are visible and shown as "valid". I can display certificate details in KeyChain as expected, see attachment #2.

Problem (1) (possibly expected behaviour):
Firefox does not see the YubiKey as visible in KeyChain. It does not show up under security (or crypto) modules.
Judging from Mozilla's bug tracker, this may be expected behaviour.

Problem (2):
Using the libykcs11 (as installed from here: https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/) I can get Firefox to at least list the YubiKey as a crypto module. I can even login to the key if (and only if) I insert the YK4 before I start Firefox (see attachment #1). However, no matter if logged in or not, none of the four certificates loaded into the PIV applet shows up in any of the certificate lists accessible in Firefox's certificate manager.

Question:
How can I (1) either make the certificates stored in the PIV applet of the YK4 visible, and usable for authentication purpose, in Firefox on Mac OS El Captain, using libykcs11 (or any other pkcs11 library)?
Or (2) make Firefox recognize certificates stored on a YK4 through the MacOS KeyChain system?

System details:
OS: MacOS 10.11.6 "El Captain" Note: Any suggestion to upgrade to MacOS Sierra will not be considered a solution. Sierra is not acceptable to me.
Firefox: 49.0.1
OpenSC: 0.16.0 (for MacOS El Captain)
SmartCardService: 2.1.2 (for OSX 10.11)
yubico-piv-tool-1.4.2-mac
yubikey-piv-manager-1.4.0-mac

Any hint is much appreciated

Attachments:
File comment: Firefox showing loaded yubikey crypto module
Firefox-crypto-modules.png
Firefox-crypto-modules.png [ 60.64 KiB | Viewed 1358 times ]
File comment: Screen shot: MacOS KeyChain with certificates on YubiKey-4
MacOSX-KeyChain-YubicoPIV.jpg
MacOSX-KeyChain-YubicoPIV.jpg [ 85.97 KiB | Viewed 1358 times ]

Author:  LIV2 [ Sat Jan 21, 2017 7:29 am ]
Post subject:  Re: [Q?] How to use YK4 PIV certificates in Firfox, MacOS El

Old post I know, but to get this working on firefox I had to install OpenSC and use their module in firefox
https://github.com/OpenSC/OpenSC/wiki/I ... ep-by-Step

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/