Yubikey Smartcard Setup via Windows CA-issued Certificate (Yubikey Manager)

Overview

This process outlines how to obtain certificate(s) from the Active Directory Integrated PKI environment and load onto a Yubikey. 

Prerequisites

• YubiKey 4 and newer
• Active Directory account
• Windows domain-bound machine (necessary for Enrollment)
  • Logged in as the account that will appear on the certificate
  • Account is member of CLAWS managed group its-certs-smartcard
    • Find someone on Systems or IA team
• Yubikey Manager
  • Install "Yubikey Manager" from Software Center
  • Download direct from Yubico: https://www.yubico.com/support/download/yubikey-manager/#h-downloads
  • Windows
    • https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exe
  • Mac
    • https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-mac.pkg
  • Linux
    • AppImage - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage
    • Src - https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest.tar.gz

Process

New Setup

1. Run the Yubikey Manager application and insert your key
   
   
2. Click on Applications and then click on PIV
   
   
   

3. Change PIN if Yubikey is fresh out of the box or it's been defaulted

   skip to Enrollment if Yubikey is already initialized

   1. Click on Configure PINs
      
      
   2. Click Change PIN and then check Use default (if it is default).
      Fill in the blanks.
      Finish with changing PIN by clicking on Change PIN
      
   3. Click on Change PUK and then check Use default (if it is default).
      Fill in the blanks.
      Finish with changing PUK by clicking on Change PUK
      
      
   4. Click on Change Management Key and then check Use default (if it is default).
      Click on Generate a few times to randomly create a new management key
      Finish with changing the key by clicking on Finish
      
      
      

Enrollment

1. Go back to Applications and then PIV
   
   
   1. Click on Configure Certificates
      

   2. Click on Authentication (Slot 9a) and then Generate
      

      Authentication (Slot 9a) and Key Management (Slot 9d) can be used if more than 1 cert is needed (ala -admin)

      

   3. Check the radio for Certificate Signing Request and then click Next
      
      
   4. Select RSA2048 and then click on Next
       
   5. Input a decent subject text (ala username) and then click on Next
      
   6. The next page gives you a summary of what you've done. When you click Generate, it will open a save dialog to save the .csr file.
      
      
      

2. Request the Certificate from the Active Directory Certificate Authority

   This Step Requires:

   • Domain Bound Windows machine
   • Logged in as user you are attempting to request cert for (you can leverage RDP with USB forwarding to a bastion host)
   • Membership into CN=its-certs-smartcard,OU=AMS,OU=Groups,OU=RITusers,DC=main,DC=ad,DC=rit,DC=edu 
     • which nests into CN=ITS_Certs_SmartCard,OU=CA Template Delegation,OU=SensitiveContainers,DC=ad,DC=rit,DC=edu

   
   Open PowerShell and navigate to where you saved the .csr file
   

   cd <directory where csr file is saved>

   Run the following command to request a certificate from ADCS. You will need to click on RIT AD Signing CA (Kerberos) - itscaad01.ad.rit.edu when the popup appears.

   certreq -submit -attrib "CertificateTemplate:YubicoSC" <csr file> <crt file>

   
   
   
   

3. Once .crt file is obtained successfully, go back to YubiKey Manager application
   1. If you closed the application, go to Applications > PIV > Configure Certificates > Authentication
   2. Click on Import
      
   3. A dialog box will pop up to select the .crt file from Step 5.
   4. Once the certificate is imported, you'll see the details populated in the application
      

Continue here: Attestation