qpernil
commented
7 months ago May I ask what pkcs11 module you are using ? I ask because the token label is made up by that module, not the PIV application on the YubiKey.
Closed opoplawski closed 6 months ago
qpernil
commented
7 months ago May I ask what pkcs11 module you are using ? I ask because the token label is made up by that module, not the PIV application on the YubiKey.
qpernil
commented
7 months ago I might add that libykcs11 from yubico-piv-tool sets the token label to 'YubiKey PIV #%u' where %u is taken from the serial number of the YubiKey, so it's unrelated to certificates.
opoplawski
commented
7 months ago Hmm, maybe this isn't the right place to ask then. We create the certificates on Windows with the YK minidriver installed.
qpernil
commented
6 months ago Closing this issue now. Feel free to open a new one if needed.
We are using Active Directory to issue authentication certificates for our users. Unfortunately Windows will only cache a single certificate for a particular subject for offline authentication - making the use of backup YKs problematic for roaming users. To avoid this we have starting issuing certificates without subject names. A side effect of this though it that the PKCS11 token id/label for the device becomes
PIV_IIinstead of the user's full name as before.Would there be any way to encode a user identifying label as the token id for subject-less certificates? Thanks.