Yubico Forum

I imported two certificates to my new YubiKey Neo, and wanted to use Neo instead of a password to unlock my BitLocker protected HDD. After setting this up, I realized that BitLocker didn't ask me which certificate it should use. I though that it was probably smart enough to select the correct certificate based on enhanced key usage attribute, but I wanted to make sure.

So, I deleted the first certificate (not meant to be used by BitLocker), and successfully unlocked the HDD. Then, I unplugged the HDD and deleted the second certificate. To my surprise, windows still offered me to unlock the HDD using the smart card. I entered the PIN and the HDD became unlocked. I checked again, but YubiKey was reporting that all slots were empty. I deleted the certificates from windows user certificate store (the certificates are automatically imported by windows on smart card insertion), and tried restarting the PC in case there's some caching going on. After restarting and plugging in the YubiKey, both certificates showed up in windows again, and I was still able to use the YubiKey to unlock my HDD.

After some testing, I found out that I can't use the deleted certificates after importing a new certificate to any of the four slots, but unless this happens, it looks like the certificates are still there. Can anyone shed some light on this?

Based on what you are describing, I'm guessing that removing the certificate fails to clear out the associated private key, but I'll wait for a Yubico employee to confirm.

Tip: You should add "[QUESTION]" to the start of your topic title, to let Yubico support know that your post has a explicit question for them.

Thanks!

I saw something that could be similiar but couldn't replicate it afterwards.

Basically when I tried using NEO with PIV for the first time when I got it, I did a lot of importing certificates, testing different middlewares etc.
What I did was change the pin, change the token management key, import certificates, try using them (different certs in different slots...)
Then I blocked the PINs and reset the applet and redid it all in a different combination.

At one point, I had the NEO clearly erased with the default PINs and after importing one certificate into a slot the previous contents showed up in the other slots and I could actually use those certs/keys to sign. I was like "WHAT THE...?!".
I can understand how it can happen (basically a software bug in the applet) and it could be pretty catastrophic security-wise, so I of course tried replicating it - but couldn't. I've written it off as me being careless and tired so maybe I was the one who made an error, but what you're describing reminds me of what I've seen...