Yubico Forum

I have an issue to use NEO as smart card and I would like to get any advice how I can fix my issue.

First of all, I had configured NEO to communicate via CCID



Got X.509 certificate in PKCS12 format and import it to the key

yubico-piv-tool -s 9e -i dmitriy.pfx -K PKCS12 -p 123 -a set-chuid -a import-key -a import-cert

(also I had tried to use 9a slot)

OpenSC dump:
(pkcs15-tool.exe --dump > c:\temp\sc-dump.txt)

======================== DUMP ============================
PKCS#15 Card [PIV_II]:
Version : 0
Serial number : d4e739da739ced39ce739d836858210842108421384210c3f5
Manufacturer ID: piv_II
Flags :

PIN [PIV Card Holder pin]
Object Flags : [0x1], private
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 128 (0x80)
Type : ascii-numeric

PIN [PIV PUK]
Object Flags : [0x1], private
ID : 02
Flags : [0xF2], local, initialized, needs-padding, unblockingPin, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 129 (0x81)
Type : ascii-numeric

Private RSA Key [PIV AUTH key]
Object Flags : [0x1], private
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
Auth ID : 01
ID : 01
MD:guid : 0x'36303939393939393939393939393031303130303030303030303030303030300000000000000000'
:cmap flags : 0x0
:sign : 0
:key-exchange: 0

Private RSA Key [CARD AUTH key]
Object Flags : [0x0]
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 158 (0x9E)
Native : yes
ID : 04
MD:guid : 0x'36303939393939393939393939393034303130303030303030303030303030300000000000000000'
:cmap flags : 0x0
:sign : 0
:key-exchange: 0

Public RSA Key [PIV AUTH pubkey]
Object Flags : [0x0]
Usage : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags : [0x2], extract
ModLength : 2048
Key ref : 154 (0x9A)
Native : yes
Auth ID : 01
ID : 01
DirectValue : <absent>

Public RSA Key [CARD AUTH pubkey]
Object Flags : [0x0]
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x2], extract
ModLength : 2048
Key ref : 158 (0x9E)
Native : yes
Auth ID : 00
ID : 04
DirectValue : <absent>

X.509 Certificate [Certificate for PIV Authentication]
Object Flags : [0x0]
Authority : no
Path :
ID : 01
Encoded serial : 02 13 26000000C8AA0D933412804DC70001000000C8
X.509 Certificate [Certificate for Card Authentication]
Object Flags : [0x0]
Authority : no
Path :
ID : 04
Encoded serial : 02 13 26000000C8AA0D933412804DC70001000000C8
Data object 'Card Capability Container'
applicationName: Card Capability Container
applicationOID: 2.16.840.1.101.3.7.1.219.0
Path: db00
Data object 'Card Holder Unique Identifier'
applicationName: Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.0
Path: 3000
Data (61 bytes): 533B3019D4E739DA739CED39CE739D836858210842108421384210C3F53401B2B736DF5AAA41FBB8F7A5F2FB2A020035
0832303330303130313E00FE00
Data object 'Unsigned Card Holder Unique Identifier'
applicationName: Unsigned Card Holder Unique Identifier
applicationOID: 2.16.840.1.101.3.7.2.48.2
Path: 3010
Data object 'X.509 Certificate for PIV Authentication'
applicationName: X.509 Certificate for PIV Authentication
applicationOID: 2.16.840.1.101.3.7.2.1.1
Path: 0101
Data (1615 bytes): 5382064B708206423082063E30820526A003020102021326000000C8AA0D933412804DC70001000000C8300D06092A86
4886F70D01010B0500305931133011060A0992268993F22C6401191603636F6D3121301F060A0992268993F22C640119
1611696E7465726E616C2D70726F6A65637473311F301D06035504031316496E7465726E616C2050726F6A6563747320
496E632E301E170D3134313033313038323033305A170D3135313033313038323033305A3081A631133011060A099226
8993F22C6401191603636F6D3121301F060A0992268993F22C6401191611696E7465726E616C2D70726F6A6563747331
143012060A0992268993F22C6401191604636F7270310E300C060355040313055573657273311830160603550403130F
446D697472697920536F73756E6F76312C302A06092A864886F70D010901161D646D697472697940696E7465726E616C
2D70726F6A656374732E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100C1B9
05F8CFD73CDEB6DFD0465D129F230866556D3E34604999EE77635F6D7CF699A26F35FE28E2C81A5C3C7223C32229D5F9
99A6C9F109063EAD742C24AC6C7C13102B2B346DCD98C5FF94D3393D2A2B281E1E34501E293A49BA65916ED0CD6AEFA6
1D5EFBA9458D3DB90AAED44075663A69C5BB38BEF6932FA7960326BD35109DA9B504D767F59A9426AC8F7FAA3D8F6939
F934668C5B7EE858770D1313E987CD20315DD63887CE1321A01866F67A9DE0BAB88D315DDDD17406292EE2410D30D904
0BA8977E0ADCA2BDD8DEAD41C19DFDEA66FDAA59FE66779F1E6EA352D156A8A1A12B27371EE27FCB83C8214432632C5A
4F0C7674DBA9190668C28E3128A90203010001A38202AF308202AB300E0603551D0F0101FF0404030205A0303E06092B
06010401823715070431302F06272B060104018237150884C0DD1F87FAB61482CD991786FFDE4281AA8F35816B87FFFB
2D8680AA5002016402010630819406092A864886F70D01090F048186308183300E06082A864886F70D03020202008030
0E06082A864886F70D030402020080300706052B0E030207300A06082A864886F70D0307300B06096086480165030401
2A300B060960864801650304012D300B0609608648016503040116300B0609608648016503040119300B060960864801
6503040102300B0609608648016503040105301D0603551D0E04160414155933315DD1DAC21365F2162A3DC9E8B29FB6
32301F0603551D23041830168014C7A64D6B5F8B374BAE0F1B296169AB92552429B330500603551D1F044930473045A0
43A041863F687474703A2F2F63726C2E696E7465726E616C2D70726F6A656374732E636F6D2F496E7465726E616C2532
3050726F6A65637473253230496E632E2E63726C306806082B06010505070101045C305A305806082B06010505073002
864C687474703A2F2F69702E696E7465726E616C2D70726F6A656374732E636F6D2F6365727469666963617465732F49
6E7465726E616C2D50726F6A656374735F417574686F726974792E63727430290603551D2504223020060A2B06010401
823714020206082B0601050507030206082B06010505070304303506092B060104018237150A04283026300C060A2B06
0104018237140202300A06082B06010505070302300A06082B0601050507030430640603551D11045D305BA03A060A2B
060104018237140203A02C0C2A646D69747269792E736F73756E6F7640636F72702E696E7465726E616C2D70726F6A65
6374732E636F6D811D646D697472697940696E7465726E616C2D70726F6A656374732E636F6D300D06092A864886F70D
01010B0500038201010024C6A0D37375794282C31378C40F5EC77189B1DE1ED31205C942C29914D4F48BF0B0492E0816
464F9DFE009DDA218CA5146DAF3CACE30C2417C676AFCD1D17744D2E255B39D7D48891127D0BAF9FCAF2A19106CBB784
602A23D123F92E78224E9D64D13A0435788F2D133F7D921193897F095E027FDF4AEA7569741C9D9FC3D5E63A022790D5
CC22863813ECB1DCDB5B7C601BD2570F226FFDD2D9D6EE2D570A5117E6AAB54BE678903217F2E3C1F1E5E10176964BD6
0B353CD4F5730577DC5B8D5033623CDF008BD7414A479BD9DDDACB5A1978F84C7716212EA4F54140EB177BE45EDBBD08
5AFC6C6532B9C36E8B760AF62B68DDB78C4F783F679B89A649F8710100FE00
Data object 'Cardholder Fingerprints'
applicationName: Cardholder Fingerprints
applicationOID: 2.16.840.1.101.3.7.2.96.16
Path: 6010
Auth ID: 01
Data object 'Printed Information'
applicationName: Printed Information
applicationOID: 2.16.840.1.101.3.7.2.48.1
Path: 3001
Auth ID: 01
Data object 'Cardholder Facial Image'
applicationName: Cardholder Facial Image
applicationOID: 2.16.840.1.101.3.7.2.96.48
Path: 6030
Auth ID: 01
Data object 'X.509 Certificate for Digital Signature'
applicationName: X.509 Certificate for Digital Signature
applicationOID: 2.16.840.1.101.3.7.2.1.0
Path: 0100
Data object 'X.509 Certificate for Key Management'
applicationName: X.509 Certificate for Key Management
applicationOID: 2.16.840.1.101.3.7.2.1.2
Path: 0102
Data object 'X.509 Certificate for Card Authentication'
applicationName: X.509 Certificate for Card Authentication
applicationOID: 2.16.840.1.101.3.7.2.5.0
Path: 0500
Data (1615 bytes): 5382064B708206423082063E30820526A003020102021326000000C8AA0D933412804DC70001000000C8300D06092A86
4886F70D01010B0500305931133011060A0992268993F22C6401191603636F6D3121301F060A0992268993F22C640119
1611696E7465726E616C2D70726F6A65637473311F301D06035504031316496E7465726E616C2050726F6A6563747320
496E632E301E170D3134313033313038323033305A170D3135313033313038323033305A3081A631133011060A099226
8993F22C6401191603636F6D3121301F060A0992268993F22C6401191611696E7465726E616C2D70726F6A6563747331
143012060A0992268993F22C6401191604636F7270310E300C060355040313055573657273311830160603550403130F
446D697472697920536F73756E6F76312C302A06092A864886F70D010901161D646D697472697940696E7465726E616C
2D70726F6A656374732E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100C1B9
05F8CFD73CDEB6DFD0465D129F230866556D3E34604999EE77635F6D7CF699A26F35FE28E2C81A5C3C7223C32229D5F9
99A6C9F109063EAD742C24AC6C7C13102B2B346DCD98C5FF94D3393D2A2B281E1E34501E293A49BA65916ED0CD6AEFA6
1D5EFBA9458D3DB90AAED44075663A69C5BB38BEF6932FA7960326BD35109DA9B504D767F59A9426AC8F7FAA3D8F6939
F934668C5B7EE858770D1313E987CD20315DD63887CE1321A01866F67A9DE0BAB88D315DDDD17406292EE2410D30D904
0BA8977E0ADCA2BDD8DEAD41C19DFDEA66FDAA59FE66779F1E6EA352D156A8A1A12B27371EE27FCB83C8214432632C5A
4F0C7674DBA9190668C28E3128A90203010001A38202AF308202AB300E0603551D0F0101FF0404030205A0303E06092B
06010401823715070431302F06272B060104018237150884C0DD1F87FAB61482CD991786FFDE4281AA8F35816B87FFFB
2D8680AA5002016402010630819406092A864886F70D01090F048186308183300E06082A864886F70D03020202008030
0E06082A864886F70D030402020080300706052B0E030207300A06082A864886F70D0307300B06096086480165030401
2A300B060960864801650304012D300B0609608648016503040116300B0609608648016503040119300B060960864801
6503040102300B0609608648016503040105301D0603551D0E04160414155933315DD1DAC21365F2162A3DC9E8B29FB6
32301F0603551D23041830168014C7A64D6B5F8B374BAE0F1B296169AB92552429B330500603551D1F044930473045A0
43A041863F687474703A2F2F63726C2E696E7465726E616C2D70726F6A656374732E636F6D2F496E7465726E616C2532
3050726F6A65637473253230496E632E2E63726C306806082B06010505070101045C305A305806082B06010505073002
864C687474703A2F2F69702E696E7465726E616C2D70726F6A656374732E636F6D2F6365727469666963617465732F49
6E7465726E616C2D50726F6A656374735F417574686F726974792E63727430290603551D2504223020060A2B06010401
823714020206082B0601050507030206082B06010505070304303506092B060104018237150A04283026300C060A2B06
0104018237140202300A06082B06010505070302300A06082B0601050507030430640603551D11045D305BA03A060A2B
060104018237140203A02C0C2A646D69747269792E736F73756E6F7640636F72702E696E7465726E616C2D70726F6A65
6374732E636F6D811D646D697472697940696E7465726E616C2D70726F6A656374732E636F6D300D06092A864886F70D
01010B0500038201010024C6A0D37375794282C31378C40F5EC77189B1DE1ED31205C942C29914D4F48BF0B0492E0816
464F9DFE009DDA218CA5146DAF3CACE30C2417C676AFCD1D17744D2E255B39D7D48891127D0BAF9FCAF2A19106CBB784
602A23D123F92E78224E9D64D13A0435788F2D133F7D921193897F095E027FDF4AEA7569741C9D9FC3D5E63A022790D5
CC22863813ECB1DCDB5B7C601BD2570F226FFDD2D9D6EE2D570A5117E6AAB54BE678903217F2E3C1F1E5E10176964BD6
0B353CD4F5730577DC5B8D5033623CDF008BD7414A479BD9DDDACB5A1978F84C7716212EA4F54140EB177BE45EDBBD08
5AFC6C6532B9C36E8B760AF62B68DDB78C4F783F679B89A649F8710100FE00
Data object 'Security Object'
applicationName: Security Object
applicationOID: 2.16.840.1.101.3.7.2.144.0
Path: 9000
Data object 'Discovery Object'
applicationName: Discovery Object
applicationOID: 2.16.840.1.101.3.7.2.96.80
Path: 6050
Data (20 bytes): 7E124F0BA0000003080000100001005F2F024000
Data object 'Cardholder Iris Image'
applicationName: Cardholder Iris Image
applicationOID: 2.16.840.1.101.3.7.2.16.21
Path: 1015

======================== END DUMP ============================


To check SC I used certutil
(certutil –scinfo > certutil.log)

========== CERTUTIL LOG ===============================
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico Yubikey NEO OTP+CCID 0
--- Reader: Yubico Yubikey NEO OTP+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: Identity Device (NIST SP 800-73 [PIV])
--- ATR:
3b fc 13 00 00 81 31 fe 15 59 75 62 69 6b 65 79 ;.....1..Yubikey
4e 45 4f 72 33 e1 NEOr3.


=======================================================
Analyzing card in reader: Yubico Yubikey NEO OTP+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico Yubikey NEO OTP+CCID 0
--- Card: Identity Device (NIST SP 800-73 [PIV])
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Yubico Yubikey NEO OTP+CCID 0
Cannot open the AT_KEYEXCHANGE key for reader: Yubico Yubikey NEO OTP+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico Yubikey NEO OTP+CCID 0
--- Card: Identity Device (NIST SP 800-73 [PIV])
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]

Cannot open the key for reader: Yubico Yubikey NEO OTP+CCID 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

certutils shows dialog and each click on cancel how in log as



Cannot open the AT_SIGNATURE key for reader: Yubico Yubikey NEO OTP+CCID 0
Cannot open the AT_KEYEXCHANGE key for reader: Yubico Yubikey NEO OTP+CCID 0

Please help me to use NEO as smart card in Windows.

Thanks,
Dmitriy

I am having the same exact issue. Please let me know if you discover a resolution.

Hello,
certs are signed by a ca trusted or by you machine

Are they self-signed?

_________________
-Tom

In my case, the cert has been signed by our corporate CA and is absolutely trusted by my machine, and all machines in the domain.

Confirm.
Certificate was signed by our enterprise CA.

1. https://corp.domain.com/certsrv/
2. Request certificate by using template Smartcard User or Smartcard Logon
3. Import certificate

It's default path what is useless because by default these templates restrict export certificate with private key.

At this point I had tried two different ways: create dublicate of "Smartcard User" template to allow export private keys and repeat the main flow but then export certificate and import to Yubikey NEO. This approach is fail.

Than, I tried to reset applet and create a key private key within the key:

1. Reset applet
2. Initialize private key
3. Create certificate request with any subject because CA will issue certificate according to selected template while the request is being processed.
4. Open WEB CA (https://corp.domain.com/certsrv/)
5. Send request and use any template "Smartcard User" or "Smartcard Logon"
6. Save respose as BASE64 encoded

this flow allow use any template because response is not saved in local certificate storage and our private key is inside the key.

7. Import response to the key

Unfortunately, this way is faulted.

I don't have any other ideas how YubiKey NEO can be used as a smartcard in Windows.

Hadn't noticed this thread before I posted mine.

Try using the Yubico PIV tool (the new one, version 0.1.1) to do a reset-chuid. You should find it starts to work at that point, if your issue was the same as mine.

lukegb, thank you! This resolved my issue.

Thanks. PivTool 0.1.2 resolved my issue.
And it works fine when I authenticate to VPN and Remote Desktop

There was a bug in CHUID handling in 0.1.0. I, too, found that once I carried out the reset-chuid operation with a later version of yubico-piv-tool that the PIV certificates started to work correctly in Windows.