Main Page: YubiKey Smart Card Deployment Guide
Previous: YubiKey Smart Card Deployment Considerations
TABLE OF CONTENTS
Configuring a Certification Authority (CA) for Smart Card Authentication
In order to utilize the Smart Card functions in a Windows environment using the YubiKey Minidriver, a Certification Authority (CA) must first be stood up.
This chapter covers the basic configuration for setting up a new Certification Authority (CA) to a Windows Server (2016 and above). These steps assume an Active Directory environment is already stood up and configured.
NOTE: If a Certification Authority already exists in your environment, skip this chapter and proceed to YubiKey Minidriver Installation.
Certification Authority Prerequisites
IMPORTANT: The installation should be performed by an experienced system administrator. These instructions include steps for a basic configuration. For information about implementing advanced configurations, see this Microsoft Technet article (https://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx).
Before you create a Certification Authority (CA), be sure you set up a Microsoft Windows Active Directory domain environment.
Microsoft recommends that you do not deploy a Root Certification Authority (CA) on a Domain Controller. As an additional security measure, consider installing the Root CA on a standalone offline server, and use a Subordinate CA for all certificate signing. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/server-certificate-deployment-overview
Creating a Certification Authority
If a Certification Authority already exists in your environment, skip this section and proceed to YubiKey Minidriver Installation.
-
Open Server Manager and choose Add roles and features, and click Next.
-
Select Role-based or feature-based installation, and click Next.
-
Click Select a server from the server pool, and from Server Pool, select the server on which you want to install the Certification Authority. Click Next.
-
Under Server Roles, select Active Directory Certificate Services, and click Next.
-
Click Add Features, and click Next, and then Next again.
-
Select Certification Authority, and click Next.
-
Click Install. Allow several minutes for the process to complete.
-
Select Configure Active Directory Certificate Services on the destination server, and click Next.
-
Select Certification Authority, and click Next.
-
Choose Enterprise CA, and click Next.
-
Choose Root CA, and click Next.
-
Select Create a new private key, and click Next.
-
Select the cryptographic provider, hash algorithm, and key length for the private key, and click Next.
NOTE: Changing the cryptographic provider, hash algorithm, and key length from the default values may increase the size of smart card login certificates beyond the available space on the YubiKey. Be sure the values you select are supported by the YubiKeys that you will use in your environment:
Maximum supported certificate size |
Supported key lengths (bits) | Supported hash algorithms | Encryption | |
YubiKey 4/5 | 3052 bytes | RSA: 1024, 2048 ECDSA: P256, P384 |
SHA256, SHA384 | RSA, ECDH |
-
Common name and Distinguished name will be automatically populated. Confirm the values match the server name and domain name, and click Next.
-
Select the validity period for the Certification Authority certificate, and click Next.
TIP: This period must be longer than what you set for the smart card login certificate template. Yubico recommends the default value of 5 years. -
Leave the Database locations to the default values and click Next again.
-
Verify all settings match the desired values, and click Configure.
-
When the process completes, exit the installation wizard by clicking Close.
Adding Support for Elliptic Curve Cryptography (ECC) Certificate Login
By default, ECC certificates are not supported for domain login in Active Directory. In order to allow ECC certificates for domain login, a GPO must be set. This can be done either through Group Policy or by editing the registry on the local system (in the case of a system where Group Policy is not managed by the domain). These topics are described:
Adding ECC Through a Group Policy Object
-
Right-click the Windows Start button and select Run.
-
Type gpmc.msc and press Enter.
-
Navigate to the AD forest and Domain containing your server, double-click your server and double-click Group Policy Objects.
-
Right-click on the group policy you want to edit, and then select Edit.
-
Expand Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card.
-
Right-click on Allow ECC certificates to be used for logon and authentication and select Edit.
-
On the Edit window select Enabled.
-
Click OK.
-
Allow Active Directory to update. Depending on environment, it could take up to eight hours for the template to publish to Active Directory.
Adding ECC Through the Local Registry
In the event a machine cannot be managed via Group Policy, support for ECC Certificates can be done via the local registry.
-
Right-click the Windows Start button and select Run.
-
Type regedit and press Enter.
-
Expand HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > SmartCardCredentialProvider (Note: It is possible that SmartCardCredentialProvider doesn’t currently exist. If that is the case, right-click Windows and select New > Key and name it SmartCardCredentialProvider).
-
With SmartCardCredentialProvider highlighted, open the Edit menu and select New > DWORD (32-bit) Value.
-
Name the new object EnumerateECCCerts.
-
Right-click on EnumerateECCCerts and select Modify…
-
Set the Value data to 1 and click OK.
-
Close Registry Editor.
Changing the Behavior for Your Domain When You Remove the Smart Card
When a user logs into the domain account using a smart card, by default, the user can remove the smart card at any point with no change to the login status. For security reasons, you may want to enforce a different behavior. In Group Policy, you can specify that Windows locks the user account, or logs out the user if the smart card is removed at any point while the user is logged in to the account.
Editing Group Policy to Lock the User's Workstation when a Smart Card is Removed
-
Right-click the Windows Start button and select Run.
-
Type gpmc.msc and press Enter.
-
Right-click on the group policy you want to edit, and then select Edit.
-
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
-
On the left pane, locate and right-click Interactive Logon: Smart card removal behavior, and select Properties.
-
Click Local Security Setting, and set it to Lock Workstation or Force Logoff, depending on your requirements.
-
Click Apply, and then click OK.
Modifying the Windows Registry to Delay the Smart Card Removal Policy Service
When using the YubiKey with other functions (such as U2F or WebAuthn), the YubiKey will act as if the smart card has been ejected, locking Windows. To prevent this from occurring, the registry can be modified to delay the Smart Card Removal Policy Service.
-
When logged in under an admin account, Right-click the Windows Start button and select Run.
-
Type gpmc.msc and press Enter.
-
Right-click on the group policy you want to edit, and then select Edit.
-
Expand Computer Configuration > Preferences > Windows Settings.
-
Right-click Registry, and select New > Registry Item.
-
Set the following fields as indicated:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\SCPolicySvc
Value name: DelayedAutoStart
Value type: REG_DWORD
Value data: 1
-
Click OK.
Working with Enterprise Root Certificates
In order to log on to a Windows system with a smart card, the system needs to be able to build the entire certificate chain from the smart card to the root CA. For a standard forest running Active Directory Certificate Services, Windows can manage the trust chain for the YubiKey smart card authentication automatically. Storing the certificate chain on the smart card may be a desirable alternative to deploying all of the intermediate certificates to every system. Storing the certificate chain on the YubiKey does not remove the need to ensure that the system trusts the root CA, this feature only helps the client system build the certificate chain to an already trusted root. Common situations covered are: including systems on a multi-forest domain, users logging onto domain accounts from non-domain systems, or deployments adding new systems to a domain using a smart card for authentication.
Adding a Root Certificate does require the YubiKey Minidriver is installed on the server and client systems. See the section Deploying the YubiKey Minidriver to Workstations and Servers for more information.
In order to run the 'certutil -scroots update' command successfully, the Management Key must be set to it's default value. If the Management Key has been changed, the YubiKey will become read-only and adding additional certificates via certuil will not be possible.
Adding an Enterprise Root Certificate to the YubiKey
- Right-click the Windows Start button and select Windows PowerShell (Admin) or Command Prompt (Administrator), depending on your Windows build.
- Type in the following command and press Enter:
certutil -scroots update
- When prompted for your Windows Security PIN, enter the PIN for your smart card and then press Enter.
- To verify both the smart card certificate and the root certificate are loaded to the smart card, type in the following command and then press Enter:
certutil -scinfo
You are prompted to enter your smart card PIN several times. Enter it each time it is requested.
- To verify a root certificate is enrolled, type in the following command and then press Enter:
certutil -scroots view
Manually deleting certificates
To delete certificates from a certificate chain manually, including a Base CSP container and associated key/certificate on the YubiKey 4/5 through the YubiKey Minidriver, use the certutil command line program. To list the current containers on the card, use the command:
certutil -key -csp "Microsoft Base Smart Card Crypto Provider"
This returns a list of container names and key types. To remove a container cleanly, use the following command while running with elevated permissions as administrator:
certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "<container name>"
Next Steps
This section helps you determine the next steps in your YubiKey smart card deployment process using the YubiKey Minidriver.
User Self Enrollment
If auto-enrollment has been set up in your environment, your users should be prompted to register a smart card the next time they log into their accounts.
Enrollment on Behalf of Other Users
The YubiKey Smart Card Minidriver allows for an admin or user with elevated permissions to enroll on behalf of other users. This is useful for deployments where the YubiKeys need to be provisioned from a central location, or replacement YubiKeys need to be generated for users who have locked their PIN.
Windows 11
With Windows 11, the Enrollment on Behalf of Other Users dialog has been enhanced to allow multiple users to have a YubiKey enrolled using the same template at once. The dialog remains the same, but at the end of the enrollment process, an option to enroll another user can be accessed with the “Next User” button.
Protecting Microsoft Cloud Environment with a YubiKey
Microsoft has built an impressive collection of integrated cloud service capabilities that span infrastructure, platforms and applications. Many of these services can also be secured with your YubiKey through Active Directory Federation Services (AD FS). While the steps to do so are outside the scope of this document, interested parties can learn more at: https://support.yubico.com/hc/en-us/articles/7464199975196-Phishing-Resistant-Multi-Factor-Authentication