Page Comparison

Prerequisites

• YubiKey 4 and newer
• Active Directory account
• Windows domain-bound machine (only necessary for 1 step)
• Yubikey Manager
  • Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
  • Windows
    • (x64) - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exe
    • (x86) - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win32.exe
  • Mac
    • https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-mac.pkg
  • Linux
    • AppImage - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage
    • Src - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest.tar.gz

...

• Step 2)
  

  • Logged in as the account that will appear on the certificate

    Note
    Find someone on Systems or IA team

    
    

  • Account is member of CLAWS managed group its-certs-smartcard

    • Once added, you need to logout and login after to be part of the group
      OR

    • Connect to a remote machine to perform Step 2

      
      

Enrollment

1. Go back to Applications and then PIV
   Image Added
   
   1. Click on Configure Certificates
      Image Added
      

   2. Click on Authentication (Slot 9a) and then Generate
      

      Note
      Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)

      Image Added

   3. Check the radio for Certificate Signing Request and then click Next
      Image Added
      
   4. Select RSA2048 and then click on Next
      Image Added  
   5. Input a decent subject text (ala username) and then click on Next
      Image Added
   6. The next page gives you a summary of what you've done. When you click Generate, it will open a save dialog to save the .csr file.
      Image Added
      
      

2. Request the Certificate from the Active Directory Certificate Authority

   Open PowerShell and navigate to where you saved the .csr file
   

   Code Block
   cd <directory where csr file is saved>

   
   

   Run the following command to request a certificate from ADCS. You will need to click on RIT AD Signing CA (Kerberos) - itscaad01.ad.rit.edu when the popup appears.

   Code Block
   certreq -submit -attrib "CertificateTemplate:YubicoSC" <csr file> <crt file>

   
   Image Added

   Note
   You may see the following message: Code Block Certificate retrieved(Issued) Issued Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.1243817.6959666.9847190.948791.4713993.230.1.401 Disregard the Invalid Issuance Policies for now. As long as you get Certificate retrieved(Issued), you will be good to continue moving forward.

   
   
   

3. Once .crt file is obtained successfully, go back to YubiKey Manager application
   1. If you closed the application, go to Applications > PIV > Configure Certificates > Authentication
   2. Click on Import
      Image Added
   3. A dialog box will pop up to select the .crt file from Step 5.
   4. Once the certificate is imported, you'll see the details populated in the application
      Image Added
      
      
4. Once complete, remove and re-insert the YubiKey for the certificate to be seen (specifically in Windows).