| Yubico Forum https://forum.yubico.com/ |
|
| [Question] Neo Smartcard Cert & Windows CA with Enroll Agent https://forum.yubico.com/viewtopic.php?f=26&t=1780 |
Page 1 of 1 |
| Author: | goldfinger [ Tue Mar 10, 2015 9:12 am ] |
| Post subject: | [Question] Neo Smartcard Cert & Windows CA with Enroll Agent |
We currently try Neo in a Proof of Concept project. The aim is that the domain user can use the Neo to login on Windows 7 workstations together with Windows 2012 AD Enterprise CA. Unfortunately we get it not to work with a enroll agent and we want to here how other solved this problem. Is there a way to get Neo as a smartcard running in a Windows CA world? https://developers.yubico.com/yubico-piv-tool/Windows_certificate.html We think that we need a smardcard and not a user template like the example above. It seems to be Microsoft problem in combination of the Neo tools. Setup Our neo's have the firmware version 3.3.6 , Set Mode to CCID + OTP Mode-82 We used the Smartcard Template "SmartCard Logon" with Propose: Signature and Smartcard Logon Number of authorizied signatures:1 Application Policy --> Certificate Request Agent An certificate for enrollment user-agent is created. Enroll of this certificate type on behalf of other users is working! Steps: yubico-piv-tool -s 9a -a generate –o public.pem Successfully generated a new private key. Rem Like certreq -new inf.txt inf.req with Pin Prompt Support yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate -S "/CN=bob/CN=Users/DC=mic/DC=workshop/DC=zz/" -i public.pem -o request.csr Successfully verified PIN. Successfully generated a certificate request. The next step sign with the enrollment signature fails. Normally a prompt for the Enrollment Agent in the Cert Store appears. certreq -sign request.csr request2.csr Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13) request.csr Since openssl don't support the other format CMC we can't test it. Rem Request to Windows CA certreq -submit -attrib "CertificateTemplate:SmartcardLogon2" request.csr cert.crt Without sign the certificate we got an error as expected because of the missing authority signature from the enrollment agent. Certificate not issued (Denied) Denied by Policy Module The request is missing required signature policy information. 0x80094809 (-2146875383) Certificate Request Processor: The request is missing required signature policy information. 0x80094809 (-2146875383) Denied by Policy Module |
|
| Author: | Tom2 [ Tue Mar 10, 2015 2:33 pm ] |
| Post subject: | Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A |
certreq -submit -attrib "CertificateTemplate:SmartCard Logon" request.csr cert.crt SmartCard Logon templates needs to be properly configured, e.g. key size 2048 did this help? |
|
| Author: | goldfinger [ Wed Mar 11, 2015 3:33 pm ] |
| Post subject: | Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A |
No it's a problem of Microsoft's certreq tool. Creating a certificate request in CMC format can be signed with the enrollment agent. But openssl doesn't support this format. Aim is to have a smardcard enrollment station. An administrator can act on behalf of a user to request and install a Smart Card Logon certificate on the user's smart Card. Is there any commercial minidriver for Neo available? |
|
| Author: | Tom2 [ Thu Mar 12, 2015 4:20 pm ] |
| Post subject: | Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A |
Goldfinger, I am no expert so forgive me if my next advice makes no sense. But shouldn't you be able to submit a PKCS10 request (https://tools.ietf.org/html/rfc2986 ) and specify on the certificate template the group and the certificate manager approval ? |
|
| Author: | goldfinger [ Thu Mar 19, 2015 11:19 am ] |
| Post subject: | Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A |
For enrollment on behalf of other users we need a pkcs10 and signer certificate see the picture above.  Some links for Windows environments: Enrollment http://secadmins.com/index.php/enroll-for-a-smart-card-certificate-on-behalf-of-other-users/ Powershell Code http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0%2Dbfed%2D4143%2D9eea%2Df521167d287c&ID=77 |
|
| Author: | goldfinger [ Thu Mar 19, 2015 11:30 am ] |
| Post subject: | Re: [Question] Neo Smartcard Cert & Windows CA with Enroll A |
I can't get the opensc Windows minidriver to work together with Yubikon Neo. But I can't create the private key on Neo or transfer the public certificate. Did someone have success? Code: Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (NIST SP 800-73 [PIV])] "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" "80000001"="msclmd.dll" |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|