Yubico Forum
https://forum.yubico.com/

Microsoft CA, 'Enroll on Behalf of'
https://forum.yubico.com/viewtopic.php?f=26&t=1784		 Page 1 of 1
Author:  GrahamWood [ Thu Mar 12, 2015 12:18 am ]
Post subject:  Microsoft CA, 'Enroll on Behalf of'
I can create certificates for myself quite easily, following the following process (will get a proper write up done once I've got everything working):

yubico-piv-tool -a change-pin -P 123456 -N <new_pin>
yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -P <new_pin> -s 9a -a request-certificate -S “/CN=username/CN=..../" -i public.pem -o request.csr
certreq -submit -attrib “CertificateTemplate:SmartcardUser” request.csr cert.crt
yubico-piv-tool -s 9a -a import-certificate -i cert.crt
yubico-piv-tool -a set-chuid

Have generated a few like this, and now tried to create a key for another user. This just requires a change to the 'certreq' command - and that is where things fail, I've not been able to get it to work.

Using the standard GUI from Microsoft, I hit the issue of the minidriver being read only (which is covered in another thread).

So -

Given that we've got 500+ users, and I need to show to my manager a process that is workable, any suggestions?
Author:  goldfinger [ Thu Mar 12, 2015 11:33 am ]
Post subject:  Re: Microsoft CA, 'Enroll on Behalf of'
Look at my post two days ago.
http://forum.yubico.com/viewtopic.php?f=26&t=1780
Without a mini driver you can't build a smartcard enrollment station because of a windows certreq bug. The necessary step of signing the Neo certificat request with the enrollment agent certificate isn't working.
Author:  GrahamWood [ Thu Mar 12, 2015 11:04 pm ]
Post subject:  Re: Microsoft CA, 'Enroll on Behalf of'
goldfinger wrote:
Look at my post two days ago.
http://forum.yubico.com/viewtopic.php?f=26&t=1780
Without a mini driver you can't build a smartcard enrollment station because of a windows certreq bug. The necessary step of signing the Neo certificat request with the enrollment agent certificate isn't working.


I was hoping there would be a way to do it without needing that - e.g. generate the key using a .inf file passed to certreq, getting it signed, and then writing it to the card... Happy to use your thread to work through options instead :)

The other thing I'm starting to consider is an openssl based CA, and just getting Windows to trust it - but where I work is a primarily windows shop, so was trying to avoid that :)
Author:  zviratko [ Tue Mar 17, 2015 12:18 am ]
Post subject:  Re: Microsoft CA, 'Enroll on Behalf of'
A CA is for so much more than just "signing keys". You need (or should have) a working LDAP directory with certificates, CRL distribution points, OCSP responders... much of that is already working for you with Active Directory and is set up right (or at least I presume someone at Microsoft knew a thing or two about PKI when designing the out-of-box install).
At 500 users, OpenSSL is not the right way to go.
Take a look at EJBCA if you really want to switch, but I think you'd better stick with the standard MS stack if you are a Windows shop...
Author:  GrahamWood [ Mon Mar 23, 2015 2:59 am ]
Post subject:  Re: Microsoft CA, 'Enroll on Behalf of'
zviratko wrote:
At 500 users, OpenSSL is not the right way to go.

Indeed - it's the sort of thing I'd be willing to script for a much smaller (or linux) shop :)


zviratko wrote:
Take a look at EJBCA if you really want to switch, but I think you'd better stick with the standard MS stack if you are a Windows shop...

The Windows stack appears to be the best option, but there does not appear to be a way to do this using the windows tools out of the box. I think I'm in the same position that goldfinger is :)
Author:  GrahamWood [ Fri Mar 27, 2015 3:54 am ]
Post subject:  Re: Microsoft CA, 'Enroll on Behalf of'
OK, I've now got this working (for me) using the GUI to generate certificates, and then loading them onto the yubikey.

The downside is that the private part of the key is generated by windows (not the yubikey), but I'm willing to accept that as a trade off at the moment.

The process is to create a duplicate of the Smarcard User template, changing (for a 2012R2 CA):
  • General: 'Template display name:' to something sensible :)
  • Cryptography: 'Minimum key size' to 2048 (1024 would probably be OK, but I prefer to go higher...)
  • Issuance Requirements:
    • This number of authorized signatures: 1
    • Policy type required in signature: Application Policy
    • Application policy: Certificate Request Agent

Once you have told the CA to issue certificates of this type, you can then use the 'enroll on behalf of' within the Windows certificate authority application (if you have the appropriate rights - ).

Right click on 'Personal->Certificates' under certmgr, and then choose 'All Tasks' => 'Advanced Operations' => 'Enroll On Behalf Of'. Choose your enrolling certificate at the next stage, and then choose the template you created above. Pick the use for whom this certificate is being created, and then hit next. This will create a certificate (stored within your store) that you can then upload to the yubikey neo.

Click on 'Personal -> Certificates', and right click on the generated certificate, choosing 'All Tasks -> Export'. Follow through, choosing 'Yes, export the private key' on the first page, and PKCS#12 with all options ticked on the next page. On the next page choose a password that you can type easily, and then choose where the file should be saved, and click finish.

Now, using the generated file run:

yubico-piv-tool.exe -s 9a -i <filename> -K PKCS12 -p <password> -a set-chuid -a import-key -a import-certficate

Finally, delete that file - and this should be working. This does not cover changing the management key or other information on the yubikey - that's left as an exercise for the reader.

Apologies if this is a duplicate of information elsewhere, I couldn't find it when I was looking originally.

One thing I will add - this can all be done via a VM - you do NOT need to have the utilities/etc running locally - and indeed, I've done this with my local machine (the one with the yubico plugged in) not actually a member of the test domain I was working on.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/