Main Page: YubiKey Smart Card Deployment Guide
Previous: Setting up Windows Server for YubiKey PIV Authentication
TABLE OF CONTENTS
Preparing the Certification Authority for Smart Card Login with a YubiKey
Before smart card login certificates can be requested and loaded to YubiKeys, several steps need to be completed, including creating smart card login templates and publishing the templates in the Certification Authority.
The examples in this section use Microsoft Windows Server 2016. If you are using a different version of Windows Server, modify the steps to suit your environment.
Setting up the Smart Card Login Template for User Self-Enrollment
It is important to create a smart card login certificate template in the CA before distributing YubiKeys to your users who will enroll themselves. To do so, follow the steps below on the Windows Server running the CA.
Creating a Smart Card Login Template for User Self-Enrollment
-
Right-click the Windows Start button and select Run.
-
Type certtmpl.msc and press Enter.
-
Click Certificate Templates, locate and right-click Smartcard Logon, and select Duplicate Template.
-
Select the General tab, and make the following changes as needed:
-
For Template display name / Template name, we recommend that you choose a short name without spaces such as YubiKey or YubicoSC.
-
For Validity period, ensure the timeframe you specify does not exceed the restrictions for your Certification Authority.
-
Optionally, to prevent users from re-enrolling multiple certificates without Administrator approval:
-
Select the option Publish certificate in Active Directory.
-
Select the option Do not automatically reenroll if a duplicate certificate exists in Active Directory.
-
-
-
Select the Compatibility tab, and make the following changes as needed:
-
Select the operating system where the Certification Authority resides.
-
For Certificate recipient, select the oldest Windows operating system in your domain environment.
-
-
Select the Request Handling tab, and make the following changes as needed:
-
For Purpose, select Signature and encryption.
- Ensure the option for Include symmetric algorithms allowed by the subject is selected.
- Ensure the option to Renew with the same key is not selected. This option may be disabled if Windows 7 and below are included in the Compatibility settings.
-
Note: If the Renew with the same key option is selected, automatic renewal of certificates will fail.
-
-
Check the option for automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
-
Ensure this option to Prompt the user during enrollment is checked.
-
-
On the Cryptography tab, make the following changes, as needed:
-
Provider category: Select Key Storage Provider from the dropdown.
-
Algorithm name: Select either RSA, ECDH_P256, or ECDH_P384 from the dropdown. Note: ECDH_P521 is not supported.
-
Note that if an ECDH algorithm is selected, the client Windows systems need to have Elliptic Curve Cryptography (ECC) Certificate Login support added using Group Policy or by editing the registry. See Adding Support for Elliptic Curve Cryptography (ECC) Certificate Login for instructions.
-
-
Minimum key size: If you selected RSA in the previous step, enter 2048. If you selected ECDH_P256 or ECDH_P384 in the previous step, this field automatically populated.
-
Select the option for Requests must use one of the following providers.
-
Under Providers, select Microsoft Smart Card Key Storage Provider.
-
For Request hash, click the arrow and select SHA256 from the list displayed.
-
-
On the Security tab, make the following changes, as needed:
-
Group or user names: Confirm the domain group you want to allow access to the template is listed. If not, click Add, enter the name of the group, and then click OK.
-
Permissions for [group name]: If users will be auto-enrolling using the built-in Windows functionality, ensure the options are checked for Read, Enroll, and Autoenroll.
-
-
Click Apply, and then click OK to close the template properties window.
-
Close the Certificate Templates window.
Adding the Template to the Certification Authority
-
Right-click the Windows Start button and select Run.
-
Type certsrv.msc and press Enter.
-
Click Certification Authority, double-click your server, double-click Certificate Templates, right-click on the white space within the center pane, select New and then select Certificate Template to Issue.
-
Locate and select the recently created self-enrollment template, and then click OK.
-
Allow Active Directory to update. Depending on environment, it could take up to eight hours for the template to publish to Active Directory.
Editing Group Policy to Enable Auto-Enrollment
-
Right-click the Windows Start button and select Run.
-
Type gpmc.msc and press Enter.
-
Navigate to the AD forest and Domain containing your server, double-click your server and double-click Group Policy Objects.
-
Right-click on the group policy you want to edit, and then select Edit.
-
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
-
Right-click Certificate Services Client - Certificate Enrollment Policy and select Properties.
-
Click the arrow for Configuration Model and select Enabled, then click OK.
-
Right-click Certificate Services Client - Auto-Enrollment and select Properties.
-
Click the arrow for Configuration Model and select Enabled.
-
Select the checkbox for Renew expired certificates, update pending certificates, and remove revoked certificates.
-
Select the checkbox for Update certificates that use certificate templates, then click OK.
-
Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
-
Right-click Certificate Services Client - Certificate Enrollment Policy and select Properties.
-
Click the arrow for Configuration Model and select Enabled, then click OK.
-
Right-click Certificate Services Client - Auto-Enrollment Policy and select Properties.
-
Click the arrow for Configuration Model and select Enabled.
-
Select the checkbox for Renew expired certificates, update pending certificates, and remove revoked certificates.
-
Select the checkbox for Update certificates that use certificate templates, then click OK.
-
Allow Active Directory to update. Depending on your environment, it could take up to eight (8) hours for the template to publish to Active Directory.
Using Auto-Enrollment to Enroll Users
With Auto-Enrollment enabled on the Windows Server and local systems via Group Policy, the user’s experience is straightforward. This section describes the steps your users will need to follow to auto-enroll their YubiKey for Login.
-
Log into a user account on a Windows 10 PC connected to the domain. A Certificate Enrollment notification appears above the System Tray.
-
Click the Certificate Enrollment notification to open the Certificate Enrollment wizard. If the popup has disappeared (or didn’t initially appear) click the arrow in the System Tray to expand the list of options and click on the certificate icon.
-
On the initial screen, click Next.
-
Select the appropriate certificate template and click Enroll. If multiple certificate templates are listed, assuming the template was set up properly, “STATUS: Enrollment required” should appear next to the correct template.
-
Enter your YubiKey PIN and then click OK. If a custom PIN has not been set, enter the default PIN:
123456.- If you are not prompted for a PIN, and the process completes successfully, double-check that you selected Microsoft Smart Card Key Storage Provider under Providers in your template's Cryptography tab. If a setting on your template needs to be changed, it is recommended to delete it and create a new one with a unique name, to ensure that the changes made take effect.
-
Windows enrolls the YubiKey for Windows login. The process may take several seconds, depending on the network connection to the server running the Certification Authority. Once completed, click Finish.