Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:47 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Apr 11, 2016 8:11 am 
Offline

Joined: Mon Apr 11, 2016 8:00 am
Posts: 3
Hello all!

Strange behavior on my Yubikey slot 9c certificate usage.

I exported my Windows Enterprise CA (Intermediate) personal certificate from certmgr.msc and imported it with Yubikey PIV Tool to slot 9c. Then deleted the certificate from certmgr.msc and verified I couldn't login to our VPN (requires certificate) or read entrypted (Outlook S/MIME) emails. Inserted the key and could (after entering pin) read the encrypted emails, connect to vpn etc. Then I removed it and every time I clicked on an encrypted mail it was asking for the card... as expected. All fine you'll say?

Now the strange part... next day, after a reboot (if that matters, not sure it does)... I click on an encrypted email and it opens up... without the card in the slot. I look in certmgr.msc... and sure as hell... certificate is back! I delete it... everything works back with the cert on the key as expected... but the certmgr.msc reports that it has the key I just deleted... but still asks for the "Card" when I click on encrypted stuff... like the private key is on the card but the cert is there... but the icon (and details of it) on certmgr... still mention that "You have a private key that corresponds to the Certificate" even when my Yubikey4 is out... Since it works though... I don't pay much attention to it....

Next day, another reboot later... I can read the encrypted emails without any problem... without Yubikey4 connected...

Please... assist... I think I'm going crazy here... why does the certificate reappear on certmgr.msc every time?

Andreas


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Apr 11, 2016 12:53 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
You have to delete it with yubico-piv-tools action delete-certificate.
https://developers.yubico.com/yubico-piv-tool/


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 11, 2016 2:31 pm 
Offline

Joined: Mon Apr 11, 2016 8:00 am
Posts: 3
Tom2 wrote:
You have to delete it with yubico-piv-tools action delete-certificate.
https://developers.yubico.com/yubico-piv-tool/


Hm... thanks for the tip... but the whole issue is that it keeps re-appearing in certmgr.msc... after I delete it from it... like the OS takes the key+cert and installs it on the OS certmgr... instead of it just remaining on the Yubikey4... 9c slot.

A successful usage case would be: if Yubikey is not in slot, no-one can sign or read encrypted mails with the certificate on the slot...

What's happening is: After the 1st insertion of Yubikey + PIN unlock the certificate is stored on the local PC's certmgr... so after 1st use, the usb token isn't needed for a succesfull sign/read operation (tested it 2-3 times now... it's actually installed on the OS on first use).

Please advise!


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 14, 2016 1:28 pm 
Offline

Joined: Mon Apr 11, 2016 8:00 am
Posts: 3
Any takers on this?


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 21, 2016 10:11 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 27
unfortunately the behavior you are seeing is due to Microsoft Windows using cached credentials you can read more about this behavior at the following link.

https://technet.microsoft.com/en-us/lib ... 94565.aspx


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group