Yubico Forum https://forum.yubico.com/ |
|
[Question] Smartcard certificate creation https://forum.yubico.com/viewtopic.php?f=26&t=2031 |
Page 1 of 2 |
Author: | Kingbob [ Tue Sep 15, 2015 6:28 am ] |
Post subject: | [Question] Smartcard certificate creation |
I've got a new NEO which i want to use as a smartcard for Bitlocker on windows 7 64bit. Following a Microsoft guide on certificate creation using certreq.exe i've tried to create a certificate with the following parameter file: [NewRequest] Subject = "CN=BitLocker" KeyLength = 2048 ProviderName = "Microsoft Smart Card Key Storage Provider" KeySpec = "AT_KEYEXCHANGE" KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG" RequestType = Cert SMIME = FALSE [EnhancedKeyUsageExtension] OID=1.3.6.1.4.1.311.67.1.1 From here: https://technet.microsoft.com/en-us/library/dd875530(v=ws.10).aspx#BKMK_sscert But when i do that, it prompts me to insert a smartcard, even though the NEO is plugged in, and the PIV manager can see it. CCID is enabled on the NEO, Windows control panel shows the smart card reader installed as a "Microsoft Usbccid Smartcard Reader (WUDF)", and shows the smart card installed as an "identity Device (NIST SP 800-73 [PIV])", both of which as far as i can tell from reading documentation are correct. Attachment: card.jpg [ 45 KiB | Viewed 5981 times ] But i get a prompt saying: "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate". This box shows the NEO as the reader and the correct identity device. Am i missing something? If i instead use the Yubikey PIV manager (1.0.2), click certificates, and click generate new key. Select a 2048bit self signed certificate, enter PIN and management key, it generates a new key in slot 91, and loads a self signed certificate. But if I then go to a bitlocker protected volume and try to use the smartcard, it says a certificate suitable for Bitlocker cannot be found on my smartcard. Ive been through various guides, but cant find a solution. Am i missing something? Thanks. |
Author: | Kingbob [ Tue Sep 15, 2015 7:30 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
After finding a guide on certificate creation for smartcards on a rival products website, and doing some experimentation, i discovered that I needed to add the following registry key to enable self-signed certificates: HKLM\Software\Policies\Microsoft\FVE And then added a new DWORD called “SelfSignedCertificates”, with a value of 1 to it. Then, worked out I had to omit the following line from the request: ProviderName = "Microsoft Smart Card Key Storage Provider" By removing that line, when running "certreq -new certrequest.txt" at a command prompt, as well as signing the certificate, it allows it to be saved as a file instead of directly to the card. Then by accessing the MMC -> certificates snap in I can export the certificate as a .pfx, and import the certificate onto the NEO using the PIV manager. |
Author: | genealogyxie [ Fri Apr 29, 2016 5:30 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10? |
Author: | T4cC0re [ Tue May 03, 2016 11:43 pm ] |
Post subject: | Re: [Question] Smartcard certificate creation |
genealogyxie wrote: The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10? You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker. |
Author: | genealogyxie [ Fri May 06, 2016 7:37 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
T4cC0re wrote: You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker. What are the exact steps in doing that? I tried getting a certificate from them (using the generated by myself option as the other option gave me an error) and it didn't work. Am I missing something? |
Author: | Chrontius [ Tue Aug 16, 2016 1:41 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
I got a free S/MIME cert from Comodo, and it was all of ten minutes until I had encrypted mail set up on my macbook. https://www.comodo.com/home/email-secur ... ficate.php I'm still trying to figure out how to import it onto my Neo, though. Any instructions for that? |
Author: | TheRealSnafu [ Fri Aug 19, 2016 6:52 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
Hi, Quote: You could try getting a free S/MIME cert from StartSSL those StartSSL S/MIME certificates didn't work for Bitlocker for me. But you can indeed use self-signed certificates for Windows 10 by adding this DWORD "SelfSignedCertificates" to HKLM\Software\Policies\Microsoft\FVE. The value is originally not there, so simply add it, restart the PC and it should work. You can also use the PIV Manager GUI to create a certificate, it's easier than certreq.exe etc. Cheers, Gerhard |
Author: | TheRealSnafu [ Fri Aug 19, 2016 6:57 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
Hi again, Quote: I'm still trying to figure out how to import it onto my Neo, though. I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO. Regards, Gerhard |
Author: | mouse008 [ Sun Aug 21, 2016 4:35 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
Since you seem to be using NEO in PIV mode, you need to fully initialize the token. Code: yubico-piv-tool has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something likeCode: yubico-piv-tool -a set-chuid -a set-ccc Please post here it that helped. |
Author: | Chrontius [ Wed Oct 19, 2016 3:24 am ] |
Post subject: | Re: [Question] Smartcard certificate creation |
TheRealSnafu wrote: Hi again, So much easier with the GUI utility! Thank you.Quote: I'm still trying to figure out how to import it onto my Neo, though. I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO. Regards, Gerhard mouse008 wrote: Since you seem to be using NEO in PIV mode, you need to fully initialize the token. I'm disappointed that this isn't in the GUI PIV tool. Also, I'm not sure how to get the CLI tool to run. I'll fiddle with it, but if you have advice, I'd appreciate it.Code: yubico-piv-tool has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something likeCode: yubico-piv-tool -a set-chuid -a set-ccc Please post here it that helped. Is there any software I'll need - Centrify Express or something like it - to pass the certificate on the Yubikey to Apple Mail? Edit: When I go to the directory, and type in "yubico-piv-tool" I get the following: Code: computer:bin user$ yubico-piv-tool -bash: yubico-piv-tool: command not found When I drag the executable directly to the terminal window, I get this: Code: computer:bin user$ /Users/user\ 1/Downloads/yubico-piv-tool-1.4.2-mac/bin/yubico-piv-tool -s 9c -a set-chuid Failed authentication with the application. I've found it - from the PDF: Quote: Failed authentication with the application
This error message occurs when authentication with the management key fails. If you previously reset the management key, be sure you provide the new management key with the -k switch in every command line where YubiKey authentication is required. This error also occurs if the PIN is required and is typed incorrectly. For example: yubico-piv-tool -a change-pin -P 123456 -N $pin -k 010203040506070801020304050607080102031234597899 where 010203040506070801020304050607080102031234597899 is the new management key. |
Page 1 of 2 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |