Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:50 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Mon Jan 23, 2017 4:23 pm 
Offline

Joined: Mon Jan 23, 2017 3:43 pm
Posts: 2
I wonder, has anyone here ever tried to use a YubiKey 4 in PIV mode to store the root CA key for Windows Active Directory Certificate Services, and if so could I find the procedure documented somewhere? the "Configuring a CA for Smart Card Authentication" section of YubiKey PIV Deployment Guide says nothing about what cryptographic provider to use, all the documentation I have seen so far seems to assume only keys other than the root CA to be generated in YubiKeys, and when I simply tried to choose either the standard Windows SmartCard Store cryptographic provider or the OpenSC CSP Windows informed me the card was read-only.

Thank you in advance for any suggestions!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 08, 2017 4:16 pm 
Offline

Joined: Fri Mar 20, 2015 4:35 pm
Posts: 4
Marecki wrote:
I wonder, has anyone here ever tried to use a YubiKey 4 in PIV mode to store the root CA key for Windows Active Directory Certificate Services, and if so could I find the procedure documented somewhere? the "Configuring a CA for Smart Card Authentication" section of YubiKey PIV Deployment Guide says nothing about what cryptographic provider to use, all the documentation I have seen so far seems to assume only keys other than the root CA to be generated in YubiKeys, and when I simply tried to choose either the standard Windows SmartCard Store cryptographic provider or the OpenSC CSP Windows informed me the card was read-only.

Thank you in advance for any suggestions!


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Why not import the pem/pfx to the Yubikey using piv-tool or the Yubikey PIV Manager?
For some reason the yubikey PIV applet reports as read only, and neither the Microsoft or opensc stacks can write to PIV slots, so certificates have to be imported/generated using Yubikey's own set of tools.

It would be good to know why Yubikey won't let applications overwrite its PIV slots when other competitors (such as PIVkey) would, using non standard APIs can be rather cumbersome.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJYmzYmAAoJEKa4nBz3AlIIYb8IAJqFIt6NENmOLfg3rkd3zNQZ
/NUJDVq0/ChiRXwpt//jkb4F0AVL2nQJFEOu5JFVRXyRE/W7u6SHcmw797fT3/OK
zDsuO68fioUKgpoQiL0op2OyeG/5TxcWDpAQYoEFSFOR2NxUMF3aUyIE53BbDcRK
oljhmSBl5gEqtdvEwGQYMfDwkXe2e7+q2pFkAjDJqm97kRW5cWQAbaKVCE950N1K
BcyHxdzsb8dzNBAujUkc/dTccC+x+gEPe2Ku/iGBoFRB8v2k6ARc1XEAy20HPpNJ
Fj8hHbGshAwNUZ1moyKet85JW+nU5TNhxIK+D4aQdFqoAdCyAvpJwiWxI/n1K24=
=84bS
-----END PGP SIGNATURE-----

_________________
---
PGP Fingerprint: DF46 8C79 5D1A 76FF 75B2 C345 4679 EDEF 1B5B B192

Public Key:
https://keybase.io/mathieulh/pgp_keys.asc?fingerprint=df468c795d1a76ff75b2c3454679edef1b5bb192

Proof: https://keybase.io/mathieulh


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group