Table of Contents |
---|
Overview
This process outlines how to obtain certificate(s) from the Active Directory Integrated PKI environment and load onto a Yubikey.
Prerequisites
- YubiKey 4 and newer
- Active Directory account
- Windows domain-bound machine (necessary for Step 5)
- Logged in as the account that will appear on the certificate
- Yubikey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
- Mac
- Linux
Process
New Setup
- Run the Yubikey YubiKey Manager application and insert your key
- Click on on Applications and then click on PIV
Change PIN if Yubikey YubiKey is fresh out of the box or it's been defaulted
Note skip to step 4 (Enrollment(II. Determine Which Certificate to Use) if Yubikey YubiKey is already initialized
- Click on Configure PINs
Note The PIN used to unlock and utilize the certificates on the YubiKey. You will have 3 tries to input the correct PIN.
Click Change PIN and then check Use default (if it is default).
Fill in the blanksChoose a PIN between 6 - 8 characters.
Finish with changing PIN by clicking on Change PINNote The PUK is used to unblock the PIN if it becomes locked. You will have 3 tries to unblock the PIN.
Click on Change PUK and then check Use default (if it is default).
Fill in the blanksChoose a PUK between 6 - 8 characters.
Finish with changing PUK by clicking on Change PUKNote The Management Key is utilized for all PIV operations on the YubiKey. This will be needed when generating new certificates.
This will be needed in the next section.
You should store this in a secure repository.Warning The Management Key is needed in creating a certificate.
The Management Key is longer than what is visible. It should be 64 characters long.
You need to store this in a secure repository.
Fill in the blanks
Click on Change Management Key and then check Use default (if it is default).Click on Generate a few times to randomly create a new management key.
You can check Protect with PIN to not need the Management Key for future
Choose AES256 as Algorithm.
Finish with changing the key by clicking on Finish
- Click on Configure PINs