search

CSIS / EnrollmentStation

Enrollment Station for enrolling Yubico smart cards in a Windows PKI
Other
46 stars 19 forks source link

Yubikey 4 error #7

Closed mlegitt closed 8 years ago

mlegitt commented 8 years ago

tried using a Yubikey 4 although it read the device fine upon enrollment I receive "failed to generate key pair" error message

ian-csis commented 8 years ago

Hi @mlegitt,

The Yubikey 4 has never been tested with the system. Yubico has written to us to provide some tests keys such that we can get support for it. We will take a look at it as soon as we can.

degan6 commented 8 years ago

Any update on this? I have a yubikey 4 and am getting "unable to enroll a certificate" I can see the light flashing on my yubikey but it doesn't seem to be able to write to the yubikey.

mike-csis commented 8 years ago

Does the Yubikey register with the NEO manager or PIV tool from Yubico? We've successfully been enrolling Yubikey 4 for a while now (all 5 we had).

degan6 commented 8 years ago

Yes, the NEO manager sees the yubikey without issue.

degan6 commented 8 years ago

I will look into the PIV tool soon. Is their a log or any place I can look on my workstation or the server to shed some light on why it failed?

mike-csis commented 8 years ago

Ok. The "Unable to enroll a certificate." error comes in the process of contacting the CA to have the certificate signed. This involves the yubikey signing a request, the CA signing it and returning a certificate which is then stored on the key (in broad terms).

The error dialog should include an extended error message. I looked over the code and found an instance I believed I had covered - but the new version 0.3.3.2 covers a last case. Could you run that and see if you get more info ?

Is it just one Yubikey or multiple (or all)?

degan6 commented 8 years ago

Unfortunately I just have one Yubikey. Your update did help thought. The error changed to This much more helpful error.

I believe the issue is on my end now, thank you for you help.

mike-csis commented 8 years ago

Hi,

That's awesome. Your issue is now centered on your CA server. The specific template is not active, published, you don't have permissions .. or any other of the possible issues.

One of the cases where we receive a similarly worded error, is when the user account running the Enrollment Station isn't properly authenticated with the AD. This can happen if you at login time (in Windows) can't connect to the AD server.

In any case. You may be able to get more info on 0x80094800 on Google or by examining event logs on your CA. Lastly, the CA console has a "Failed attempts" (or similar) which might contain more info.