Prerequisites
- YubiKey 4 and newer
- Active Directory account
- Windows domain-bound machine (necessary for Step 52)
Logged in as the account that will appear on the certificate
- Yubikey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
- Mac
- Linux
Process
...
- Click on Configure PINs
- Click Change PIN and then check Use default (if it is default).
Fill in the blanks.
Finish with changing PIN by clicking on Change PIN - Click on Change PUK and then check Use default (if it is default).
Fill in the blanks.
Finish with changing PUK by clicking on Change PUK - Click on Change Management Key and then check Use default (if it is default).
Fill in the blanks.
Finish with changing the key by clicking on Finish- You can check Protect with PIN to not need the Management Key for future
- You can check Protect with PIN to not need the Management Key for future
Note Find someone on Systems or IA team
Account is member of CLAWS managed group its-certs-smartcard
Once added, you need to logout and login after to be part of the group
ORConnect to a remote machine to perform Step 2
Enrollment
Note |
---|
The PIN and Management Key will be needed to configure each certificate. |
- Go back to Applications and then PIV
- Click on Configure Certificates
Click on Authentication (Slot 9a) and
then Generatethen Generate
Note Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)
- Check the radio for Certificate Signing Request and then click Next
- Select RSA2048 and then click on Next
- Input a decent subject text (ala username) and then click on Next
- The next page gives you a summary of what you've done. When you click Generate, it will open a save dialog to save the .csr file.
- Click on Configure Certificates
Request the Certificate from the Active Directory Certificate Authority
noteThis Step Requires:
- Domain Bound Windows machine
- Logged in as user you are attempting to request cert for
Open PowerShell and navigate to where you saved the .csr file
Code Block cd <directory where csr file is saved>
Run the following command to request a certificate from ADCS. You will need to click on RIT AD Signing CA (Kerberos) - itscaad01.ad.rit.edu when the popup appears.
Code Block certreq -submit -attrib "CertificateRequestCertificateTemplate:YubicoSC" <csr file> <crt file>
Note You may see the following message:
Code Block Certificate retrieved(Issued) Issued Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.1243817.6959666.9847190.948791.4713993.230.1.401
Disregard the Invalid Issuance Policies for now. As long as you get Certificate retrieved(Issued), you will be good to continue moving forward.
- Once .crt file is obtained successfully, go back to YubiKey Manager application
- If you closed the application, go to Applications > PIV > Configure Certificates > Authentication
- Click on Import
- A dialog box will pop up to select the .crt file from Step 5.
- Once the certificate is imported, you'll see the details populated in the application
- Once complete, remove and re-insert the YubiKey for the certificate to be seen (specifically in Windows).