Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:15 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sat May 20, 2017 4:13 pm 
Offline

Joined: Sat May 20, 2017 4:06 pm
Posts: 1
Hi all,

I've just got my Yubikey 4 and I'm experimenting with authenticating to Windows with a smart card in Active Directory.

One thing I have noticed, is that if I have a certificate in a slot (let's say 9a) and then delete the certificate/key, generate a new one and import a new certificate, Windows still sees the old certificate.

I've tried going into the Personal User Certificate Store on my Windows Account and removing all of the certificates there that are from the Yubikey, but when I re-insert it, the old ones get added again and the new ones are no-where to be found.

I get the same behaviour with Mac OSX, but if I run "rm -rf /var/db/TokenCache/tokens/*" and re-insert the Yubikey, it picks up all the new certificates.

So my question is, is there a similar way on Windows to clear the "cache" so that when I re-insert my Yubikey, it picks up the new certificates? At the moment I'm having to reset my Yubikey by entering an incorrect PIN and PUK enough times, otherwise it doesn't pick up new certs.

Cheers


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu May 25, 2017 5:11 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Windows caches the key container map and certificates in HKLM/Software/Microsoft/Cryptography/Calais[Cache]. There are essentially two different solutions that should work for you:

(1) Completely reset the the YubiKey using YubiKey PIV Manager, and then provision again. This will set a new CHUID, which is the reason why Windows currently sees the old certificate.

(2) Stop the "Smart Card" and "Certificate Propagation" services (if you have an inserted smart card, they will probably be running, and may be difficult to successfully stop), delete the cache value from the registry and reboot. This should work as well.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group