Closed petrsnd closed 7 years ago
bjoernv
commented
6 years ago Currently I setup the Yubikey certificates on Linux. Unfortunately the comment from @pbatard uses the Windows tool "certutil". Is there a known way to setup the Yubikey with "yubico-piv-tool" or other Linux tools and later use the Yubikey with the Yubikey Smart Card Minidriver on Windows 10?
bjoernv
commented
6 years ago Based on tip https://github.com/Yubico/yubikey-piv-manager/issues/24#issuecomment-405423404 and the Yubico documentation Device setup I tried to setup a Yubikey 4 without the Windows Tool "certutil". Tests show, that the certificates work with the new driver (YubiKey Minidriver 3.7.0.152). The Windows registry keys AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport are not needed.
Maybe the Yubikey has already PIN, PUK and management keys. To reinitialize PIN, PUK and management key we need to enter PINs and PUKs multiple times with false values. Attention: certificates will be deleted from Yubikey.
$ yubico-piv-tool -a verify-pin -P 471112
Pin verification failed, 2 tries left before pin is blocked.
$ yubico-piv-tool -a verify-pin -P 471112
Pin verification failed, 1 tries left before pin is blocked.
$ yubico-piv-tool -a verify-pin -P 471112
Pin code blocked, use unblock-pin action to unblock.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
Failed verifying puk code, now 2 tries left before blocked.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
Failed verifying puk code, now 1 tries left before blocked.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
The puk code is blocked, you will have to reinitialize the application.Reset the Yubikey. This step is important
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: j y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708Create a new management key $key
$ key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
$ echo $key
E9E2CB9936D6511AC36B2C0FE568BB63A806314548C54CB1 (do not use this example key!)
$ yubico-piv-tool -a set-mgm-key --new-key=$key --key=010203040506070801020304050607080102030405060708Setup PIN and PUK
$ yubico-piv-tool -a change-pin -P 123456 -N <NEW PIN>
$ yubico-piv-tool -a change-puk -P 12345678 -N <NEW PUK>$ yubico-piv-tool -s 9a -i <certificate1.pfx> -K PKCS12 -p <certificate-password> -a import-key -a import-cert -a set-chuid --key=$key
$ yubico-piv-tool -s 9d -i <certificate2.pfx> -K PKCS12 -p <certificate-password> -a import-key -a import-cert -a set-chuid --key=$key
emlun
commented
5 years ago @bjoernv Thanks for sharing your solution. I'd also like to note that you can do all those things with the ykman piv commands as well:
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
PIN: 123456
PUK: 12345678
Management Key: 010203040506070801020304050607080102030405060708(Getting the PIN blocked is not a prerequisite for ykman piv reset)
$ ykman piv change-pin
Enter your current PIN:
Enter your new PIN:
Repeat for confirmation:
New PIN set.$ ykman piv change-puk
Enter your current PUK:
Enter your new PUK:
Repeat for confirmation:
New PUK set.$ ykman piv change-management-key --protect --generate
Enter PIN:
Enter your current management key [blank to use default key]:The --protect flag here makes the YubiKey store the management key within the onboard storage protected by the PIN, so you'll use the PIN in place of the management key (which is useful if there's no separate admin who needs access to the management key). Leave the --protect flag off to get the generated management key printed to the console instead.
$ ykman piv import-certificate 9a <cert_and_key1.pfx>
$ ykman piv import-key 9a <cert_and_key1.pfx>
$ ykman piv import-certificate 9d <cert_and_key2.pfx>
$ ykman piv import-key 9d <cert_and_key2.pfx>
If I open YubiKey Piv Manager (1.4.2) on Windows 10 CU, then insert my YubiKey 4, everything works great the first time. It recognizes the YubiKey and allows me to initialize it. However, if I remove the key and try to do it again, YubiKey PIV Manager (1.4.2) fails to recognize the key.
I get the following message in the YubiKey PIV Manager UI:
yubico-piv-tool.exe returns the following:
I can get YubiKey PIV Manager to recognize the key again if I follow these steps:
Another interesting thing is that after following the process described above, when you reinsert the YubiKey 4, ever so briefly you see a device appear under "Smart card readers" called "YubiKey 4 OTP+U2F+CCID". This eventually disappears only to be replaced by "Microsoft Usbccid Smartcard Reader (WUDF)" again. It is seemingly present long enough for YubiKey PIV Manager (1.4.2) to get started interacting with the key.
yubico-piv-tool.exe also works after following the process above.
After I remove the key, it won't work again unless I repeat the steps above to uninstall the device before plugging it back in.