csis / enrollmentstation Goto Github PK
View Code? Open in Web Editor NEWEnrollment Station for enrolling Yubico smart cards in a Windows PKI
License: Other
Enrollment Station for enrolling Yubico smart cards in a Windows PKI
License: Other
tried using a Yubikey 4 although it read the device fine upon enrollment I receive "failed to generate key pair" error message
This is a feature request to add "PIN tries amount" to configuration.
Currently if the policy is to use some other PIN try amount than the default 3, one has to manually use the PIV tool to change the PIN try amount. But after that is done, the PIN and PUK are reset to default - making the workflow very cumbersome since ES does not readily display the PUK.
As reported by "pkcs15-tool --list-keys" on Linux, the keys created by ES do not have the "sign" usage flag set. For example:
# pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
Object Flags : [0x1], private
Usage : [0x22], decrypt, unwrap
However, keys created with the YubiKey PIV Manager do:
$ pkcs15-tool --list-keys
Using reader with a card: Yubico Yubikey 4 OTP+U2F+CCID 00 00
Private RSA Key [PIV AUTH key]
Object Flags : [0x1], private
Usage : [0x26], decrypt, sign, unwrap
Most importantly, the "sign" flag is needed for PKINIT to work on Linux as discovered here: https://pagure.io/SSSD/sssd/issue/3616
I'm using a Yubikey4 w/ OTP and CSIS turned on, and Enrollment Station does not detect it. Windows sees it a smart card reader.
Currently no PIN complexity exists when enrolling a yubikey or reset the PIN
Using the Yubikey Minidriver on Windows, where users can change the PIN to something like 1 character is not secure, so we disabled the possibility to change the PIN via Windows
Using PIV Manager there is a PIN complexity, but it follows the standard Windows complexity and integration in Windows is not so nice
Is there a way we can customize the PIN complexity using this tool?
See #13
On enrolling a user, the error "Unable to import a certificate" is displayed. The CA has issued the certificate correctly, which I now have to revoke.
This same error happened on the first YubiKey NEO I attempted to enroll with ES. Then, I fumbled around for a few hours with this YK, tried ES again, and enrollment magically worked with ES. I was happy and moved to the next YK - again the same "Unable to import a certificate" error.
I have checked the NEO Manager, and CCID mode is enabled (disabling + re-enabling CCID did not help). PIV Manager seems to work on it.
I do not remember exactly what I did with the first YK, but it included:
And so on.. I specifically did NOT do any "set-ccc" / "set-chuid" / resetting on it.
We have a number of agents that can issue Yubikeys, but get the attached error when attempting to revoke. Others are able to issue, revoke and terminate on their enrollment station, so it appears to be permissions based. We have attempted revoke with the problem agents on several enrollment stations and they receive the same error.
I am trying to use the code from the ADD-TRIESCONFIG branch and not having any luck.
Using the method
public bool ChangePinPukRetries(byte pinRetryCount, byte pukRetryCount)
This line
return code == YubicoPivReturnCode.YKPIV_OK && sw == YubikeyPivNative.SW_SUCCESS
returns false, because SW is returned as 27010, which is SW_ERR_SECURITY_STATUS and not 0x9000 (or its decimal equivilent)
Digging deeper, the SW is a Status Word, and is outlined here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf (Section 5.6)
I am getting back 69 and 82, which according to that pdf means Security status not satisfied
Hi there,
One more request! Is it possible to have the option to use the touch policy on the Yubikey 4's? I only ask since this so far seems the best way to manage Yubikey's!
Thanks again in advance!
There is a typo on the termination confirmation dialog:
"This will terminate the Yubikey, wiping the PIN, PUK, Management Key and Certificates. This will also revoke the certificiate. Proceed?"
Note "certificiate" and not "certificate".
It would be very nice if a PUK code could be defined in CSIS settings. And the amount of PIN/PUK retries.
Currently the CLI tool is needed to set these manually after programming the key with CSIS.
We are using the EnrollmentStation and YubicoLib code to help write our own Yubikey provisioning software.
We have the need to set the CCC value in order to use the Yubikeys to login to our Mac systems, but the YubikeyPivNative class does not have a method for doing that.
In an attempt to implement it myself I have mimicked the methods in YubikeyPivNative:
[DllImport("Binaries\\libykpiv-1.dll", EntryPoint = "ykpiv_util_set_cccid", CharSet = CharSet.Ansi, SetLastError = true, CallingConvention = CallingConvention.Cdecl)] internal static extern YubicoPivReturnCode YkPivSetCcc(IntPtr state, byte[] ccc);
I found the function name by using DLL Export Viewer, but I get an exception when I attempt to call it using the above code:
'Unable to find an entry point named 'ykpiv_util_set_cccid' in DLL 'Binaries\libykpiv-1.dll
I'm sure I have the method signature wrong, since I don't know what arguments ykpiv_util_set_cccid
is expecting.
Is there any light you could shed on this for us?
I'm trying to set up an enrollment station and also getting the 'unable to import a certificate, return code YKPIV_GENERIC_ERROR' I've changed the template minimum key size to 1024 and still no dice. I can use the PIV Manager to generate keys but we want to use ES with an enrollment agent.
When starting the application I'm getting AppCrash Report and specific systems.
I've tried to debug and got the following Error:
Unable to init device: YKNEOMGR_BACKEND_ERROR
at EnrollmentStation.Code.YubikeyNeoManager..ctor()
at EnrollmentStation.MainForm..ctor()
at EnrollmentStation.Program.Main()
Windows Server 2012 R2 Standard x64, via RDP.
Application: EnrollmentStation.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
at EnrollmentStation.Code.YubikeyNeoManager.YkNeoManagerDiscover(IntPtr)
at EnrollmentStation.Code.YubikeyNeoManager.RefreshDevice()
at EnrollmentStation.Code.YubikeyDetector.BackgroundWork()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
at System.Threading.Tasks.Task.ExecutionContextCallback(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef)
at System.Threading.Tasks.Task.ExecuteEntry(Boolean)
at System.Threading.Tasks.Task.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()
Some of the YubiKey tools show management keys with lower case letters. ES does not accept such management key and the letters must be changed to upper case.
The management key with lower case letters should be accepted and ES then internally convert the lower case letters to suitable case.
We have observed that when using a Computer certificate, the ES must be run using Admin rights.
The ES should present a notification that it should be run as admin if it detects a computer certificate, if it doesn't have the necessary rights.
I believe that the best practice is to store the Enrollment Certificate on a smart card for security. It seems EnrollmentStation does not support this?
I have requested an Enrollment Certificate with the PIV Manager tool and saved it to some slot, say 9c or 9d. But when choosing the Agent certificate, "browse" button only displays the certificate on the local computer and not certificates from YubiKey.
Hi,
Just wondered if it is possible to use ECC certificates with the Enrollment Station? How much work would it be to add it in? I can use RSA 1024 / 2048 just fine, but would prefer to use ECC (I have the template set up and it works with the minidriver enrollment, but want to do PIV and use the Enrollment Station).
I'm looking for ECC P256 support specifically.
Thanks in advance!
I just got a few Yubikey 4's with a newer firmware, v4.3.1. When I try to enroll, it errors with "Unable to create CSR". Previous batch of Yubikey 4's with firmware v4.2.8 work fine.
I've downloaded the leastest commited version and did run the complied Enrollmentstation.exe.
First I configured all required settings such as management-key, ca and agent cert.
After plugging in a yuibkey an clicking on "Enroll Yubikey" an Execution appears like this:
System.Threading.LockRecursionException: Das Einrichten von rekursiven Schreibsperren ist in diesem Modus nicht zulässig.
bei System.Threading.ReaderWriterLockSlim.TryEnterWriteLockCore(TimeoutTracker timeout)
bei System.Threading.ReaderWriterLockSlim.TryEnterWriteLock(TimeoutTracker timeout)
bei EnrollmentStation.DlgEnroll.YubikeyStateChange()
bei EnrollmentStation.DlgEnroll.DlgEnroll_Load(Object sender, EventArgs e)
bei System.Windows.Forms.Form.OnLoad(EventArgs e)
bei System.Windows.Forms.Form.OnCreateControl()
bei System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
bei System.Windows.Forms.Control.CreateControl()
bei System.Windows.Forms.Control.WmShowWindow(Message& m)
The current procedure for updating expired certificates is to terminate the Yubikey (which revokes the certificate) and enroll it again. This has 2 issues:
Clockscrew considerations
Key renewal discussion
*User's PIN
Documentation considerations
Add a check on a PIN length of minimum 6 characters in firmware 4.3.1+
See #14
At this time it is required for the PIN RESET to be 6 or more characters, but you can use more than 8
This is a problem for Yubikey NEO used on Windows systems with the Yubikey Mini Driver, which do not allow more than 8 characters
At customer site (>500 Yubikeys) the users need to RESET their PIN at a an enrollment facility, and are told to use between 6-8, but users can and therefor will not listen and use more than 8 anyways :)
Is there a setting which can be altered to set the maximum to 8 characters for the PIN Reset?
Looking at https://forum.yubico.com/viewtopic.php?f=25&t=2764 there has been a massive change in how YK PIV functionality can work.
Am I mistaken in thinking that the Minidriver makes EnrollmentStation (ES) more or less redundant? Are there some functions in ES that the are missing from the native Windows functionality leveraging the Minidriver?
Does this mean the ES, that has not seen a release in a year, will be getting even less development?
Pushing out the Minidriver through Windows Updates surprised us, bad, and I think we cannot move to use it because we use the YK PIV functionality in macOS as well. I understood if you go the Minidriver way and re-enroll the YK, it cannot be used under macOS/OpenSC? These non-ES-related questions I shall put to the official YK forum as well.
Edit: the aforementioned forum link totally does not even mention ES. Is this product/workflow actually still officially supported by YubiCo??
Hello, we are currently evaluating the YubiKey for use by our users. I installed a new root CA and configured it with the instruction from your documentation. I have been able to use the CSIS Enrollment Station to issue my first certificate for one user and was able to succesfully log into the users workstation via the smartcard. I now want to revoke the certificate to make more tests and I'm getting the following error. Please see screenshot:
https://dl.dropboxusercontent.com/u/7894017/Yubi_Error.jpg
Doing a google search, it seems to be because I'm running the Enrollment Station on a 64bit OS (Windows 10)
I'm using this version of the enrollment station https://github.com/CSIS/EnrollmentStation/releases/download/0.3.5.0/Enrollment.Station.v0.3.5.0.zip
How can I get around this issue?
Thank you
Currently the Enrollment Station appears not to support the 4 and 4 Nano. If you guys need some devices to test with, please e-mail [email protected] and I'd be happy to send as many as you need. Great work on this project!
Looking at the commit frequency graph, there are clear peaks and valleys in the activity.
I do not know if it suits your development process, but could you please consider using the "releases" functionality of GitHub? This would make it much easier for end-users to get the whole thing installed. It is not very convenient to download binaries one by one.
All project build ok but when try debug the project I have this error in YubikeyNeoManager.cs
YubicoNeoReturnCode res = YubikeyNeoNative.YkNeoManagerListDevices(deviceHandle.Device, ptr, ref len);
Error:
An unhandled exception of type 'System.AccessViolationException' occurred in YubicoLib.dll
Additional information: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Run visual studio 2015 in parallels machine with windows server 2012 r2
Please help!!
Installed, as Administrator on new 2016 Domain Controller for YubiKey Roll-Out, CA is present en Certificates are valid.
Recently I tried to get the software running. I'm currently failing hard.
Are there any specific requirements on installation and running the software?
I think it would be really great to have install and requirements guide on that.
Is it possible to interact with 3rd party provisioned devices?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.