Enrollment Certificate stored on smart card not supported?

[bluikko]

I believe that the best practice is to store the Enrollment Certificate on a smart card for security. It seems EnrollmentStation does not support this?

I have requested an Enrollment Certificate with the PIV Manager tool and saved it to some slot, say 9c or 9d. But when choosing the Agent certificate, "browse" button only displays the certificate on the local computer and not certificates from YubiKey.

[bluikko]

Don't know what happened, now ES finds the certs on the Yubikey. Closing thus issue.

[bluikko]

Oops - the certs are not found from Yubikey, instead it was just Windows updating the local computer certificate store.

The issue that Yubikey cannot open Agent certificate from Yubikey persists.

[ian-csis]

It is true that it would provide better security to have the enrollment agent certificate on a yubikey. Our main use case for this application was an offline scenario where the enrollment machine is turned off (and it has Bitlocker disk encryption) which provide better protection for the key than storing it on a yubikey.

If I remember correctly, the last time we researched this (about 2 years ago) there was no Cryptographic Service Provider (CSP) for reading the private key on the smart card. The solution back then was to install a third party provider that had limited support for yubikeys.

We will look into it and reevaluate support for this feature.

[bluikko]

Thanks for the reply. Sounds possible that there is no CSP for reading a private key since usually private keys must not be exported from a smart card. I do not know enough of how it works to say why you would need to read the private key off it and not do some signing operation on it. I guess this issue can be closed then, no need to explain more in detail about the private key.

P.S. should I open a separate issue for this: http://forum.yubico.com/viewtopic.php?f=30&t=2412&p=8976#p8976

[ian-csis]

It is not reading the private key to export it. That would be very insecure as you rightly point out. Yubikeys support PKCS11, which is a standard API for communicating with crytographic devices such as smart cards. However, most implementations have special adaptions to the protocol, and as such Microsoft implemented the CSP API, to which you implement a driver, and then Windows can seamless communicate with the smart card.

Windows is already using this API for signing operations when you use smart cards to log into Windows. However, it does not seem to recognize the Yubikey when doing other operations, which is why we are using the Yubikey API directly (using the libraries provided by Yubico) in ES. I have talked with the developers at Yubico on several occasions, and they want to provide support for Microsoft Windows CSPs out of the box - I'm just not sure where we stand in that regard at the moment, as this was several years ago.

[ian-csis]

As for the second issue, it would be nice if you created another ticket.

[LordMike]

@bluikko could you try putting the agent certificate in slot 9a? We use slot 9a for all our certs (iirc it's because of its intended use).

Also double check that, the windows certificate store detects your smartcard-agent certificate. So remove it from the users personal store first, then re-insert the yubikey and confirm that it appears again. (Windows will by default "install" any SmartCard certificate given to it, into the users personal store - in some cases it also installs any chain presented to it :|).

[mike-csis]

@bluikko another note here is that it will "never" work as it is now. You cannot have two yubikeys at the same time while working with the ES. The library we use from Yubico simply doesn't support selecting yubikeys (at least not when we made it - there are some things related to selecting Yubikeys, but we never could make it work reliably).

A better option is probably this: Use Windows 10 / Server 2016, and use Credential Guard on a machine with a TPM. Credential Guard will protect the LSASS process and virtualize it away to protect it from compromise. This goes well with another new feature: Virtual Smartcard which allows you to have a smart card on the TPM device. Using this, you can get the same security as a physical smart card would give you.