-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enroll a PIV card from Windows ADDS + CA #2592
Comments
PIV cards were designed by NIST to be administered using tools outside the specs and each vendor could provide their own way to do the administration. OpenSC does include a You may want to try the Yubico minidriver See: https://www.yubico.com/support/download/smart-card-drivers-tools/ which says: "The YubiKey Smart Card Minidriver enables users and administrators to use the native Windows interface for certificate enrollment, managing the YubiKey smart Card PIN, and smart card authentication on Windows." https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-73-4.pdf uses the term "Management Key" as key to be used for encryption and also has a certificate. What you may be thinking of is the 9B key "PIV Card Application Administration Key" But card vendors may chose to no support or use this key. |
See also the discussion at #2671. If some volunteer implements this, we could integrate this. For now, however, there's nothing to do. |
Problem Description
I use OpenSC with arekinath/PivApplet. When I use Yubikey's
yubico-piv-tool
everything works fine to import and/or generate keys and certificate on card.However, when I use OpenSC's minidriver in an AD/DS environment in order to enroll certificates I always get the error :
An internal consistency check failed
I use the following in OpenSC Conf :
md_read_only = false;
md_supports_X509_enrollment = true;
md_supports_container_key_gen = true;
md_supports_container_key_import = true;
Proposed Resolution
I think it has something to do with management key. Since I can't find where I can feed OpenSC mindiriver with the PIV Management Key, it can't do administrative tasks on the card. Am I right?
The text was updated successfully, but these errors were encountered: