Table of Contents |
---|
...
This process outlines how to obtain certificate(s) from the Active Directory Integrated PKI environment and load onto a Yubikey.
Prerequisites
...
- Active Directory account
- Windows domain-bound machine (necessary for EnrollmentStep 2)
Logged in as the account that will appear on the certificate
Note Find someone on Systems or IA team
Account is member of
AD.RIT.EDU group CN=ITS_Certs_SmartCard,OU=CA Template Delegation,OU=SensitiveContainers,DC=ad,DC=rit,DC=edu
- Yubikey Manager
- Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
- Windows
- Mac
- Linux
Process
New Setup
...
Change PIN if Yubikey is fresh out of the box or it's been defaulted
Note |
---|
skip to Enrollment if Yubikey is already initialized |
...
Enrollment
CLAWS managed group its-certs-smartcard
Once added, you need to logout and login after to be part of the group
ORConnect to a remote machine to perform Step 2
Enrollment
Note |
---|
The PIN and Management Key will be needed to configure each certificate. |
- Go back to Applications and then PIV
- Click on Configure Certificates
Click on Authentication (Slot 9a) and then Generate
Note Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)
- Check the radio for Certificate Signing Request and then click Next
- Select RSA2048 and then click on Next
- Input a decent subject text (ala username) and then click on Next
- The next page gives you a summary of what you've done. When you click Generate, it will open a save dialog to save the .csr file.
- Click on Configure Certificates
Request the Certificate from the Active Directory Certificate Authority
This Step Requires:Note - Domain Bound Windows machine
- Logged in as user you are attempting to request cert for (you can leverage RDP with USB forwarding to a bastion host)
- Membership into CN=ITS_Certs_SmartCard,OU=CA Template Delegation,OU=SensitiveContainers,DC=ad,DC=rit,DC=edu
Open PowerShell and navigate to where you saved the .csr file
Code Block cd <directory where csr file is saved>
Run the following command to request a certificate from ADCS. You will need to click on RIT AD Signing CA (Kerberos) - itscaad01.ad.rit.edu when the popup appears.
Code Block certreq -submit -attrib "CertificateTemplate:YubicoSC" <csr file> <crt file>
Note You may see the following message:
Code Block Certificate retrieved(Issued) Issued Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.1243817.6959666.9847190.948791.4713993.230.1.401
Disregard the Invalid Issuance Policies for now. As long as you get Certificate retrieved(Issued), you will be good to continue moving forward.
- Once .crt file is obtained successfully, go back to YubiKey Manager application
- If you closed the application, go to Applications > PIV > Configure Certificates > Authentication
- Click on Import
- A dialog box will pop up to select the .crt file from Step 5.
- Once the certificate is imported, you'll see the details populated in the application
...
- Once complete, remove and re-insert the YubiKey for the certificate to be seen (specifically in Windows).