Yubico Forum
https://forum.yubico.com/

PIV card slots and macOS - unable to both sign and decrypt
https://forum.yubico.com/viewtopic.php?f=26&t=2579
Page 1 of 1

Author:  zviratko [ Fri Feb 24, 2017 6:52 pm ]
Post subject:  PIV card slots and macOS - unable to both sign and decrypt

Hi,
I just (re-)tried using Yubikeys with PIV applet in our company. We are also setting up a proper CA so this seemed appropriate.
Many of our staff use Macbooks, and so do I.
It seems like PIV card support in macOS has matured somewhat - for example it's now possible to unlock the keychain using the key in 9D slot.

However I hit a big problem with emails.

If I import a certificate in the 9A slot, then I can use that for signing emails, SSH, X509 auth and so on. This seems to work quite well.
The problems begin when i try encryption. Encrypting itself works just fine. But I can't decrypt anything when the key is in 9A slot.
The obvious solution would be to put the cert in both 9A and 9D - but then it just stops working in macOS (not sure if that's a bug or a feature, macOS says something like "0 valid slots found" or similiar)
If I _only_ put the cert in 9D then I can encrypt/decrypt, but can no longer sign.
I tried other combinations (9C+9D, 9A+9C, 9A+9C+9D) and nothing works. Some combinations seem to work but sending either a signed or encrypted email results in Mail.app just blackholing it - it seems to send but it never does, and it doesn't even ask for PIN.

AFAIK the "proper" solution is to use separate certificates for Authentication and signature (=9A) and Encryption (=9D). I generated two such certificates with separate Key Usage and Extended Key usages, put one in 9A and the other (for encryption) in 9D and it seems to work flawlessly, as expected.... almost.
The problem with that is: With a single certificate all someone needs to do is send a signed message, and the recipient can reply with an encrypted message - he now has the certificate of the recipient from the signature.
But with dual certificates there's no "easy" way to do this except exporting the other certificate and importing it manually.

What is the proper solution there? Do I have to deploy some sort of directory (LDAP) service? Seems a bit overkill.

Or is Apple to blame? Should putting the same cert with all key usages in two slots "just work"?

Thanks

Author:  Chris77 [ Mon Apr 03, 2017 5:34 pm ]
Post subject:  Re: PIV card slots and macOS - unable to both sign and decry

zviratko wrote:
Hi,
Or is Apple to blame? Should putting the same cert with all key usages in two slots "just work"?


Isn't the an option to configure which certificate to use?

We put a certificate in 9a only and selected it for signing and encryption in the mailer configuration. (Outlook 2013 + Windows).

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/