An introduction
So this builds on my earlier posts about my powershell module for Yubikeys . I wrote about this functionality when I implemented it , but I realized that I never wrote a end to end version. So here goes.
Setting the blank Yubikey up
This part will:
- Connect to the Yubikey
- Set the PIN retry count to 8
- Set the managementkey to be PIN protected (Disables PUK)
- Change the PIN
- Create a new RSA2048 key
- Build a new CSR that includes attestion data
PS C:\> Import-Module PowershellYK
PS C:\> Connect-YubikeyPIV
cmdlet Connect-YubikeyPIV at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
PIN: ******
PS C:\> Set-YubikeyPIV -PinRetries 8 -PukRetries 3
WARNING: PIN and PUK codes reset to default, remember to change.
PS C:\> Set-YubikeyPIV -PINProtectedManagementkey:$True
PS C:\> Set-YubikeyPIV -ChangePIN
cmdlet Set-YubikeyPIV at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
PIN: ******
NewPIN: ******
PS C:\> New-YubikeyPIVKey -Slot 0x9a -Algorithm Rsa2048 -PinPolicy Once -TouchPolicy Cached
PS C:\> Build-YubiKeyPIVCertificateSigningRequest -Slot "PIV Authentication" -Subjectname "CN=Visit https://virot.eu" -PEMEncoded -Attestation -OutFile C:\Temp\attested.csrVerifying the CSR
So now we have a CSR to send to our CA, but we want to verify that our Yubikey is correctly configured. Since this is included we can use TameMyCerts. Or soon, I am working with Uwe to implement this functionallity.
PS C:\> confirm-YubikeyAttestion -CertificateRequest C:\Temp\attested.csr
AttestionValidated : True
SerialNumber : 19661687
FirmwareVersion : 5.4.3
PinPolicy : Once
TouchPolicy : Cached
FormFactor : UsbAKeychain
Slot : 154
isFIPSSeries : False
isCSPNSeries : False
AttestionMatchesCSR : True
PS C:\>Submit the Certificate to your favorite CA
C:\>certreq -submit -attrib "CertificateTemplate:TestUser" C:\temp\attested.csr C:\temp\attested.cer
Active Directory Enrollment Policy
{F3C91389-BEE8-4BEF-B8DC-EC8BA3307EBF}
ldap:
RequestId: 2494
RequestId: "2494"
Certificate retrieved(Issued) Issued
C:\>You should now have a certificate file.
Import the certificate
Lets import the certificate and see that it is available.
PS C:\> Import-YubikeyPIV -Slot "PIV Authentication" -Certificate C:\temp\attested.cer
PS C:\> Get-YubikeyPIV -Slot "PIV Authentication"
Slot : 154
KeyStatus : Generated
Algorithm : Rsa2048
PinPolicy : Once
TouchPolicy : Cached
Certificate : [Subject]
[Issuer]
CN=test-WIN-UNORS4P71FA-CA, DC=test, DC=virot, DC=eu
[Serial Number]
4D000009BFF7C9E98870DA9ACD0000000009BF
[Not Before]
2024-11-28 18:07:01
[Not After]
2025-11-28 18:07:01
[Thumbprint]
BB77095A25DAECEB872BBA80464E9F2A1A2386A7
PublicKey : System.Security.Cryptography.RSABCrypt
PS C:\>Getting altSecurityIdentities
PS C:\> ConvertTo-AltSecurity -Certificate C:\temp\attested.cer
sshAuthorizedkey : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5/NGqQiCl+DEo+EDGptBN3/ofN8tpk3f8Aw2LADftlwd5Nj04Q3dMGjabzwPtJeH+uWHSvYtPGUgFGWlHgkJP/2k37pztYpfmU6b
9GsGFeVTYPYMhzxqPfgOZwZPnSCSnzuw/Sy+GtmmYlM9iXkp3VejiIgWT+tTYZRCGUjLQN13MQI24UnWK9pWpmIh1Aohy9Dcn0RiYtlqrr+YthB8hxkvalB6XeBvhoublR4gjEE46Nd
FyXaQ3BpIVxc6JnapiXBB/PJbig34JNP+Vld7vDS/MFWTZy+zXVajIvzHifUqaqmZ4aPh+MGflJ6bYRyDv9WXhGBnchRMCgfXVYqFN
X509IssuerSubject : X509:<I>CN=test-WIN-UNORS4P71FA-CA, DC=test, DC=virot, DC=eu<S>
X509SubjectOnly : X509:<S>
X509RFC822 :
X509IssuerSerialNumber : X509:<I>CN=test-WIN-UNORS4P71FA-CA, DC=test, DC=virot, DC=eu<SR>BF0900000000CD9ADA7088E9C9F7BF0900004D
X509SKI : X509:<SKI>B52E6C56E0C214DE77C1958444A8C2F1AE1D97AA
X509SHA1PublicKey : X509:<SHA1-PUKEY>BB77095A25DAECEB872BBA80464E9F2A1A2386A7
PS C:\>This is what can be used to authenticate as this certificate.
Windows issues seing a new certificate?
Windows is good at caching. Lets give the yubikey a new identity, to force Windows to see it as a new Yubikey.
C:\> Set-YubikeyPIV -newCHUID
C:\>