buptczq
commented
3 years ago Please try to use RSA2048 instead of ECCP384 to generate key pairs and certificates. Some settings may cause the ECC certificate to be unusable. See also:
Open yacoob opened 3 years ago
buptczq
commented
3 years ago Please try to use RSA2048 instead of ECCP384 to generate key pairs and certificates. Some settings may cause the ECC certificate to be unusable. See also:
SunMar
commented
3 years ago Ran into this today as well, created a PR #44 to add a note about this in the documentation. After enabling ECC keys it worked.
kipters
commented
3 years ago It didn't work for me (even after enabling the policy and rebooting)
dschaper
commented
3 years ago Are you using the Yubico MiniDriver for your key or the default Windows card services driver? Check your Device Manager and see how the key is listed.
kipters
commented
3 years ago @dschaper The default I think, I didn't install anything from Yubico, except ykman (it's a fresh Windows install)
dschaper
commented
3 years ago https://www.yubico.com/authentication-standards/smart-card/
YubiKey smart card minidriver
The YubiKey Smart Card Minidriver provides additional smart functionality; certificate and PIN management via the native Windows user interface, support for ECC key algorithms, set touch policy for private key use.
Minidriver for Windows OS
A Minidriver for the Windows OS that allows smart card management in the native Windows interface and adds support for ECC key algorithms. Download the YubiKey Smart Card Minidriver from our downloads page.
GottZ
commented
2 years ago Same Issue here.
PS C:\Users\GottZ> yubico-piv-tool.exe -a status
Version: 5.2.7
Serial Number: 12509791
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: ECCP384
Subject DN: CN=SSH key
Issuer DN: CN=SSH key
Fingerprint: 1e39e4d7562a984d7f82f60638bcb2e2db83f9a4a7c39a369b30053de22c2518
Not Before: Sep 23 09:55:54 2021 GMT
Not After: Sep 23 09:55:54 2022 GMT
PIN tries left: 3PS C:\Users\GottZ> ykman piv info
PIV version: 5.2.7
PIN tries remaining: 3
Management key algorithm: TDES
Management key is stored on the YubiKey, protected by PIN.
CHUID: No data available.
CCC: No data available.
Slot 9a:
Algorithm: ECCP384
Subject DN: CN=SSH key
Issuer DN: CN=SSH key
Serial: 16774689833571667083
Fingerprint: 1e39e4d7562a984d7f82f60638bcb2e2db83f9a4a7c39a369b30053de22c2518
Not before: 2021-09-23 09:55:54
Not after: 2022-09-23 09:55:54PS C:\Users\GottZ> ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
Enter passphrase for PKCS#11:
Could not add card "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll": agent refused operationcertmgr.msc doesn't list the key either.
EnumerateECCCerts is set to 1
device manager lists it properly as smartcard
I'm on Windows 11 Pro
OpenSSH is not started. I can't get libykcs11.dll to work with it either.
I have no problems using this key with PIV on a native Archlinux installation.
ssh-add -L should spit out my ecdsa-sha2-nistp384 key from the yubikey but does not.
I do have gpg4win installed but no daemon is running right now.
I've followed the documentation with a yubikey 5 nano. I think I got the key+cert generated properly:
but despite re-plugging the key, windows doesn't see the cert:
I'm not all that familiar with win10's plumbing involved here - anything that I might have missed?
Thanks!