search

Yubico / Yubico.NET.SDK

A YubiKey SDK for .NET developers
Apache License 2.0
99 stars 47 forks source link

Public certificate fails to be propagated on Windows 11 after PIV certificate is enrolled. #38

Closed zyyanfei closed 1 year ago

zyyanfei commented 1 year ago

There is a consistent issue when I enroll PIV certificate for a Yubikey device (no matter if it is a YK5 or YK4 key) through Yubikey SDK on Windows 11 :

after the enrollment, the new public certificate can't be propagated on the machine where I just enrolled it even I removed the device and re-plugin it again. The public certificate will be available in certificate store only the machine is restarted.

Previously it works well if I enrolled it through Yubico PIV tooling. Meanwhile, it works well if plugin other Windows 11 machine without restart.

GregDomzalski commented 1 year ago

Hi @zyyanfei - do you have the YubiKey MiniDriver installed on this computer?

The .NET SDK is usually not involved in any way once the certificate has been stored on the YubiKey. For better integration between the YubiKey and Windows, that is the responsibility of the YubiKey MiniDriver (YKMD.dll)

zyyanfei commented 1 year ago

Thank you @GregDomzalski for the response.

If I remember correctly, I tried (YubiKey-Minidriver-4.1.1.210-x64.msi is installed), but doesn't work. In other words, no matter I can repro it no matter the driver is built-in "Microsoft Usbccid Smartcard Reader" or "Yubikey MiniDriver". I will double confirm tomorrow and let you know the test result.

GregDomzalski commented 1 year ago

Hi @zyyanfei - were you able to check if the minidriver was present? Were you able to resolve your issue?

zyyanfei commented 1 year ago

Hi @zyyanfei - were you able to check if the minidriver was present? Were you able to resolve your issue?

Sorry for the delay response. Yes, the public certificate can be propagated once Yubico minidriver is installed. This case only occurs when it is Yubikey's eject mode is disabled and touch policy is 'Always' or 'Cached'. If the eject mode is enabled, there isn't such issue. Do you know why it depend on miniDriver only in this situation?

zyyanfei commented 1 year ago

@GregDomzalski could you share more insights ?

GregDomzalski commented 1 year ago

Hi @zyyanfei - this is outside of my team's expertise. Since the .NET SDK is not involved in this particular flow at all, I would advise you to engage with Yubico's Support team. They will be much better equipped to help you.

zyyanfei commented 1 year ago

Thank you Greg for the information.