Enroll a PIV card from Windows ADDS + CA #2592
Comments
PIV cards were designed by NIST to be administered using tools outside the specs and each vendor could provide their own way to do the administration. OpenSC does include a You may want to try the Yubico minidriver See: https://www.yubico.com/support/download/smart-card-drivers-tools/ which says: "The YubiKey Smart Card Minidriver enables users and administrators to use the native Windows interface for certificate enrollment, managing the YubiKey smart Card PIN, and smart card authentication on Windows." https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-73-4.pdf uses the term "Management Key" as key to be used for encryption and also has a certificate. What you may be thinking of is the 9B key "PIV Card Application Administration Key" But card vendors may chose to no support or use this key. |
|
See also the discussion at #2671. If some volunteer implements this, we could integrate this. For now, however, there's nothing to do. |
Problem Description
I use OpenSC with arekinath/PivApplet. When I use Yubikey's
yubico-piv-tooleverything works fine to import and/or generate keys and certificate on card.However, when I use OpenSC's minidriver in an AD/DS environment in order to enroll certificates I always get the error :
An internal consistency check failedI use the following in OpenSC Conf :
md_read_only = false;md_supports_X509_enrollment = true;md_supports_container_key_gen = true;md_supports_container_key_import = true;Proposed Resolution
I think it has something to do with management key. Since I can't find where I can feed OpenSC mindiriver with the PIV Management Key, it can't do administrative tasks on the card. Am I right?
The text was updated successfully, but these errors were encountered: