Introduction:
In summary, the YubiKey Manager Command Line Interface (CLI), Yubico Manager application, Yubico Authenticator and the YubiKey smart card minidriver were intended to serve different purposes and are designed to operate in separate contexts. Using the minidriver for certificate management ensures a secure, reliable, and integrated approach within the native Windows environment, which is not possible with YubiKey Manager CLI, YubiKey Manager or Yubico Authenticator due to its broader but less specific focus.
When using a YubiKey as a smart card with the YubiKey smart card minidriver, there are specific software components involved that manage how the YubiKey interacts with the operating system and applications. Here's a detailed explanation of why you shouldn’t use YubiKey Manager for certificate management if you're using the YubiKey smart card minidriver:
1. Different Software Components
- YubiKey Manager CLI (ykman) / Yubico Manager / Yubico Authenticator: These are standalone applications developed by Yubico that allows users to configure and manage their YubiKeys. All of them provide functionalities like configuring OTP, PIV, FIDO, and OpenPGP
- Smart Card Minidriver: This is a software component that integrates with the Windows operating system to enable the use of the YubiKey as a smart card. It provides an interface for Windows to manage certificates and perform cryptographic operations using the YubiKey.
2. Exclusive Control
- Minidriver Control: When the YubiKey smart card minidriver is in use, it takes exclusive control over the YubiKey's smart card functionalities. This means that certificate operations, such as reading, writing, or deleting certificates, are managed through the minidriver interface within Windows and not through external applications like YubiKey Manager.
- Potential Conflicts: Using YubiKey Manager CLI or other applications for certificate management while the minidriver is active could lead to conflicts or inconsistent states because both would be trying to manage the same resources on the YubiKey. This can cause issues like certificate corruption, container map (cmap) corruption or loss of functionality.
3. Functionality Scope
- YubiKey Manager (and others): Primarily used for initial configuration and setting up various YubiKey modes (OTP, PIV, FIDO, OpenPGP). It is not designed to handle the intricate certificate management tasks that the minidriver and Windows provide.
- Smart Card Minidriver: Specifically designed for certificate management tasks within the Windows environment, including certificate enrollment, storage, and usage for authentication and signing.
4. Security and Reliability
- Managed Environment: Using the minidriver ensures that all certificate management operations are performed in a controlled and secure environment provided by the Windows OS. This helps maintain the integrity and security of the certificates.
- Reduced Risk of Errors: Since the minidriver is tailored to work with the Windows Certificate Store and related APIs, it reduces the risk of errors and ensures compatibility with other Windows security features.
Why?
There are two Smart Card specifications at play here, in the default mode the YubiKey operates in the widely supported PIV Specification which identifies certificates based on the assigned slot such as 9a, 9d,9c and so on. However, with the YubiKey Smart Card Minidriver driver this converts the YubiKey into a GiDs compatible card supported natively only within the Microsoft environment and relies on a Container Map (CMAP) to identify the certificates and matching private keys within containers on the YubiKey. This Container map is only updated within the Windows cryptographic API’s and making changes to the certificates outside of Windows via tools such as YubiKey Manager does not update the container map and can cause corruption of this file.