Skip to content
This repository has been archived by the owner. It is now read-only.

YubiKey 4 issues with Windows 10 Creators Update (Version 1703) #24

Closed
petrsnd opened this Issue Jun 5, 2017 · 53 comments

Comments

Projects
None yet
@petrsnd
Copy link

petrsnd commented Jun 5, 2017

If I open YubiKey Piv Manager (1.4.2) on Windows 10 CU, then insert my YubiKey 4, everything works great the first time. It recognizes the YubiKey and allows me to initialize it. However, if I remove the key and try to do it again, YubiKey PIV Manager (1.4.2) fails to recognize the key.

  • YubiKey 4 -- PIV applet firmware 4.3.4
  • YubiKey PIV Manager version 1.4.2
  • Windows 10 Pro, Creators Update (Version: 1703)
> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10 Pro 
OS Version: 10.0.15063 N/A Build 15063

I get the following message in the YubiKey PIV Manager UI:
YubiKey not found

yubico-piv-tool.exe returns the following:

> .\yubico-piv-tool.exe -astatus
Failed to connect to reader.

I can get YubiKey PIV Manager to recognize the key again if I follow these steps:

  1. Leave the YubiKey 4 inserted
  2. Leave YubiKey PIV Manager (1.4.2) open
  3. Open up Windows Device Manager
  4. Navigate to "Smart card readers"
  5. Find the "Microsoft Usbccid Smartcard Reader (WUDF)" device that was added by Windows, and right click to "Uninstall device"
  6. Remove the YubiKey 4
  7. Reinsert the YubiKey 4
  8. Voilà! YubiKey 4 is recognized and I can work with it.

Another interesting thing is that after following the process described above, when you reinsert the YubiKey 4, ever so briefly you see a device appear under "Smart card readers" called "YubiKey 4 OTP+U2F+CCID". This eventually disappears only to be replaced by "Microsoft Usbccid Smartcard Reader (WUDF)" again. It is seemingly present long enough for YubiKey PIV Manager (1.4.2) to get started interacting with the key.

yubico-piv-tool.exe also works after following the process above.

After I remove the key, it won't work again unless I repeat the steps above to uninstall the device before plugging it back in.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 5, 2017

More information. If you enable viewing hidden devices in Windows Device Manager, you can see additional information about what might be wrong.

From the Windows Device Manager Menu:
"View" => "Show hidden devices"

This is what you see when you have inserted the card and it was not recognized (notice the light grey).
smartcard missing

If you follow the steps I posted to delete the smart card reader to try again, you'll see this:
smartcard found

The PIV smart card is not being found by the operating system. This means I might have trouble trying to use the YubiKey 4 as a smart card to authenticate to an web application or for a domain login. So, I'm not this is only a YubiKey PIV Manager problem...

When I remove the YubiKey 4:

  • the "Smart card filter driver"
  • the "Microsoft Usbccid Smartcard Reader (WUDF)", and
  • the "Identity Device (NIST SP 800-73 [PIV])"

all turn grey in Windows Device Manager.

When I plug the YubiKey 4 back in, only the first two come back as show in the first image above.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 5, 2017

I have verified the same behavior on a Dell Precision 5510 and a Dell Precision M3800. I will try an HP laptop later today.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 6, 2017

I reproduced the same issue on an HP Spectre x360 running Windows 10 Home CU (1703).

I know this is likely a Windows driver issue, but I experienced it while running YubiKey PIV Manager. I didn't know where else to file the issue to make you aware that YubiKey 4s are not working for PIV on Windows 10 CU.

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 7, 2017

Thanks for the detailed report! We are looking into it.
Could you try doing .\yubico-piv-tool.exe -astatus -v2 when the key is not recognised, and paste the output here?

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 7, 2017

@dagheyman

> .\yubico-piv-tool.exe -astatus -v2
error: SCardEstablishContext failed, rc=8010001d
Failed to connect to reader.

SCARD_E_NO_SERVICE 0x8010001D
The smart card resource manager is not running.

So for whatever reason the key insertion is not triggering this service to start?

resource manager
The module of the smart card subsystem that manages access to multiple readers and smart cards. The resource manager identifies and tracks resources, allocates readers and resources across multiple applications, and supports transaction primitives for accessing services available on a given card.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 7, 2017

TriggerStart
I opened services snap-in and found that the Smart Card service is not running.
Manually started this service and it works...

> .\yubico-piv-tool.exe -astatus
CHUID:  3019d4e739da739ced39ce739d836858210842108421384210c3f5341078c2d72b2f70c4b3f5214ccdb7211ebe350832303330303130313e00fe00
CCC:    f015a000000116ff020ccbacb8870cbb32b23714e3329cf10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
PIN tries left: 3
@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 7, 2017

> sc.exe qtriggerinfo SCardSvr
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: SCardSvr

        START SERVICE
          DEVICE INTERFACE ARRIVAL     : 50dd5230-ba8a-11d1-bf5d-0000f805f530 [INTERFACE CLASS GUID]
        START SERVICE
          DEVICE INTERFACE ARRIVAL     : 121d8161-866d-4a24-ba58-9058940c0d47 [INTERFACE CLASS GUID]
        START SERVICE
          NETWORK EVENT                : bc90d167-9470-4139-a9ba-be0bbbf5b74d [RPC INTERFACE EVENT]
            DATA                       : c6b5235a-e413-481d-9ac8-31681b1faaf5
        START SERVICE
          NETWORK EVENT                : bc90d167-9470-4139-a9ba-be0bbbf5b74d [RPC INTERFACE EVENT]
            DATA                       : D09BDEB5-6171-4A34-BFE2-06FA82652568:F2ADD560-EB85-4170-82A2-A48E789690CD
@killerog

This comment has been minimized.

Copy link

killerog commented Jun 8, 2017

Hello,

Lately I've been having issues with the authenticator application, and then I noticed this topic. This sounds very much like what I experienced, but maybe I should open a issue in that other repo instead?

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 12, 2017

I managed to reproduce this with a YubiKey 4 and a NEO on a fresh Creators Update VM. I get the same behaviour that you describe. Can't reproduce it on Anniversary Edition (build 14393).

@DanPeterson

This comment has been minimized.

Copy link

DanPeterson commented Jun 12, 2017

@dagheyman Microsoft bug?

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 13, 2017

try adding 'SeLoadDriverPrivilege' to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\RequiredPrivileges
reboot and see if it helps.
make sure you don't delete any of the existing rights there, just add to the existing list.

The permission system was a bit re-arranged in Creators and MS broke practically all [radio] modems until you (or microsoft) patches the registry like this:
https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/dial-up-error-633-wbuild-15063-1703-creators-pro/2c5b280e-e246-4105-b8e6-58e413d2668e

and since it's a driver-loading issue i suspect that the same 'fix' applies in this case too.

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 13, 2017

@Aditza2015 Thanks for the suggestion! It doesn't seem to help at my end though. Actually it makes it slightly worse (?), after the registry change, the fix to do Uninstall device on the Smart card reader, doesn't seem to have any effect anymore.

@DanPeterson

Microsoft bug?

Could be. Do you have any more luck with the above workaround?

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 13, 2017

and an update: this is probably happening because in Creators there will be a different svchost.exe process for EACH separate service.

if you look at running processes with taskmgr or sysinternals Process Explorer you'll notice that in Creators each service runs in its own separate svchost process while in Anniversary edition it uses a shared svchost for multiple services.

This process isolation has advantages because each process is assigned only the security privileges that it actually requests and can't leech privileges from other services that are run in the same svchost.

The downside is that missing but needed privileges that used to be leeched/inherited from other services are creating issues like this missing-driver bug.

try adding to SCardSvr more privileges from the list at:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx

it probably also needs some of:
SeTrustedCredManAccessPrivilege
SeImpersonatePrivilege
SeCreatePermanentPrivilege

and as a last attempt:
SeTcbPrivilege
(=act as part of the Operating System)

probably one of these or others on that MSDN list will help

20170614 edit: marked with strike-through the above paragraph.. the proper solution is a bit lower down the thread.

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 13, 2017

Thanks for the insights. Leaving the two original privileges in there and adding all the privileges you suggested gives a list like this for SCardSvr:

SeChangeNotifyPrivilege
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeTrustedCredManAccessPrivilege
SeUndockPrivilege
SeUnsolicitedInputPrivilege
SeTrustedCredManAccessPrivilege
SeImpersonatePrivilege
SeCreatePermanentPrivilege
SeTcbPrivilege

Unfortunately it doesn't seem to have any effect, the card doesn't show up in device manager at all (only the reader).

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 13, 2017

hmm.. what if you add 'SeLoadDriverPrivilege' to the ScDeviceEnum service instead of SCardSvr service?
(restore SCardSvr to have only the original 2 permissions too)

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 13, 2017

The last one seemed to do the trick!

So to reiterate, workaround seems to be:

Add SeLoadDriverPrivilege to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ScDeviceEnum\RequiredPrivileges, reboot.

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 13, 2017

and the conclusion is: it's another Microsoft bug with Creators Update... just as with the [radio] modems breaking Dial Up networking, they forgot to allow the Smart Card device enumeration service to actually load the drivers it needs.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 14, 2017

@dagheyman I verified that this work around fixed the issue for me. So, have you filed a bug with Microsoft to get this fixed?

I'm certainly happy with the workaround for now, but it would be nice to be sure that customers will have their PIV card recognized out of the box.

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 14, 2017

Run as Administrator in Powershell:

> Set-ItemProperty "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges @("SeCreateGlobalPrivilege", "SeTcbPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", "SeTakeOwnershipPrivilege", "SeSecurityPrivilege", "SeLoadDriverPrivilege")

Use the script below...

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 15, 2017

imho you should not blindly overwrite the entire privilege list because Microsoft might also add a different privilege, for a different purpose, via a patch.

best way would be to

  1. first read the currently active privileges,
  2. check if the list contains SeLoadDriverPrivilege
  3. if it doesn't, then add to the end of the list that was read at step 1

this way you preserve the full list of the original manufacturer-assigned privileges

@dagheyman

This comment has been minimized.

Copy link
Member

dagheyman commented Jun 15, 2017

@DanPeterson

I verified that this work around fixed the issue for me. So, have you filed a bug with Microsoft to get this fixed?

Great that it's verified. I managed to file a report in the "Feedback Hub" inside Windows, I guess you could go there and upvote it. Here is the link (paste in explorer.exe):
feedback-hub:?contextid=74&feedbackid=93d6694e-28cc-4282-b1b2-79cccf64f784&form=1&src=1
Shortlink: https://aka.ms/fr4t81

@petrsnd

This comment has been minimized.

Copy link
Author

petrsnd commented Jun 15, 2017

@Aditza2015 Yeah... I was being lazy. 😊

Run as Administrator in Powershell:

$v = (gp "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges).RequiredPrivileges; if (-not ($v -contains "SeLoadDriverPrivilege")) { $v += "SeLoadDriverPrivilege"; sp "HKLM:\System\CurrentControlSet\Services\ScDeviceEnum" RequiredPrivileges $v }

@petrsnd petrsnd closed this Jun 15, 2017

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 28, 2017

https://support.microsoft.com/en-gb/help/4022716/windows-10-update-kb4022716

June 27, 2017—KB4022716 (OS Build 15063.447)

Addressed issue where, after upgrading to Windows 10 RS2, modem dial-up fails with Error 633.  
Addressed issue where the smartcard service (sccardsvr.exe) stops periodically and never restarts when the smart card application attempts to access the cards.

the manual work-around should no longer be needed after the update.

@Vilican

This comment has been minimized.

Copy link

Vilican commented Jul 18, 2017

Update: I'm using Windows, build 15063.483, however, the issue still persists.

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jul 18, 2017

did you try adding 'SeLoadDriverPrivilege' to the ScDeviceEnum service?

@Vilican

This comment has been minimized.

Copy link

Vilican commented Jul 19, 2017

@Aditza2015, Yes, I used the PowerShell script a few posts above, but it didn't work.

@Vilican

This comment has been minimized.

Copy link

Vilican commented Jul 19, 2017

Sorry, it worked, but I had set in setting a card reader name. It is OK.

@unixninja92

This comment has been minimized.

Copy link

unixninja92 commented Sep 23, 2017

I can confirm this is fixed in 15063.608(possibly earlier). While/before that update was installing I tried using the reg edit fix (adding SeLoadDriverPrivilege) and once the 608 update had installed this additional reg value broke the Smart Card service. Removing the value fixed it again.

@johndavies24

This comment has been minimized.

Copy link

johndavies24 commented Nov 7, 2017

My experience, with multiple yubikeys on multiple computers, is that the PIV manager recognizes the yubikey the first time it is plugged in and then never again. No suggestions in this thread have solved this problem. This has been tested in version 1703 build 15063.674 and subsequently in version 1709 build 16299.19. All with the same outcome.

Yubico support has suggested the following steps:

  • Uninstall KB4041676
  • Stop the Windows update service
  • Delete the Windows update cache
  • Start the Windows update service
  • Run Windows updates to reinstall the fixed KB4041676
  • Reboot
  • Test YubiKey PIV Manager

However, the windows update package KB4041676 does not exist on the machine that is fully updated to the newest feature update and all additional update packages. This update package is present on another computer that I tested this stuff on, this computer is still running version 1703. I guess I'll try what @unixninja92 said and remove this reg edit fix and see if it works again.

@johndavies24

This comment has been minimized.

Copy link

johndavies24 commented Nov 8, 2017

Nope

@johndavies24

This comment has been minimized.

Copy link

johndavies24 commented Nov 8, 2017

After a long conversation with yubico the solution (for me, at least) was stupid easy. The yubikey PIV manager fills in a setting field for the "Card reader name". Delete whatever it fills in here (mine was saying "nano") and make sure it is empty like in my screenshot. Everything works now. Edit I likely somehow named it nano, it didnt reproduce in a fresh environment. Whatever, it works now.
piv_solution

@emlun

This comment has been minimized.

Copy link
Member

emlun commented Nov 9, 2017

@johndavies24 Glad you got it working, thanks for sharing!

@fabiopbx

This comment has been minimized.

Copy link

fabiopbx commented Nov 21, 2017

Everytime i update windows this happens :(

I've tried all of the above, maybe someone can point me in the right direction?
Cant login or sign emails, any ideas?

image

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Nov 21, 2017

that message usually means that the certificate is no longer recognized.

unfortunately i'm in the same boat, since the YubiKey Smart Card driver arrived with Fall Creators Update and replaced the default PIV driver, Adobe Reader DC is no longer recognizing the Yubikey as valid for signing documents and the certificate(s) from the key don't even appear anymore under Internet Options -> Content -> Certificates

I have already tried to enable them via Group Policy.... no luck there either. :(

smart_card_gpo

@shanselman

This comment has been minimized.

Copy link

shanselman commented Apr 18, 2018

It's now April of 2018 and I'm (we) are still hitting this. I am starting to feel like YubiKeys on Windows aren't a viable or robust option.

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Apr 27, 2018

i still cannot get the smart card certificates to show up in the personal certificates at all, on both the desktop and the laptop.

i tried:

The certificates are recognized as present by the Yubico PIV Manager... but they are simply ignored by Windows.

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Apr 27, 2018

and an update: i managed to make it work again by blacklisting the Yubico minifilter driver, i went back to using the standard windows driver, (Identity Device NIST SP 800-73 PIV)
https://forum.yubico.com/viewtopic948b.html?p=9916

  1. Open Device Manager, locate and right-click YubiKey Smart Card (under Smart cards) and select Uninstall Device (mark Delete the driver software for this device).

Block re-installation from Windows Update:

  1. type: gpedit.msc
  2. Browse to Local Computer policy, Computer Configuration, Administrative Templates, System, Device Installation, Device Installation restrictions.
  3. Double-click Prevent installation of the devices that match any of these device IDs
  4. Click Enabled, Show Contents, click ADD, in the ADD item fields type:
    SCFILTER\CID_59756269b657934
    SCFILTER\CID_59756269b657934e454f7233
    Click OK,
  5. Exit gpedit.msc
  6. gpupdate /force
  7. re-insert the key.
@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Apr 27, 2018

another note: that trick only works on Windows 10 1709 edition.

on Windows 10 1803 build 17133.73 (windows insider build) the driver prevention trick from above still works but certificate propagation from card to the OS is not happening.
I can't use the certificates on 1803 :(
yubico-201804

@emlun

This comment has been minimized.

Copy link
Member

emlun commented Apr 27, 2018

Hi @shanselman and @Aditza2015,

I'm afraid there doesn't seem to be much we can do here to help you. Please open a support ticket and they'll do what they can to help.

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Apr 28, 2018

update: i forced a windows version upgrade to build 17134.1, using minifilter driver v3.7.0.152 too, and smart card certificates are propagating normally now. Seems that one was a bug in the 17133.x edition. (or Remote Desktop-related, see the issue referenced below)

@fabiopbx

This comment has been minimized.

Copy link

fabiopbx commented May 1, 2018

For all with issues,
I have for the longest time had issues with windows simpyl not being able to see the certificates in the cards while PIV manager saw them fine, this caused my outlook and windows login to stop working. After trying to many of the above suggested fixes what normally fixes this is editing the registry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Yubikey NEO Smart Card
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Yubikey 4 Smart Card

and change the value of the key '80000001' to 'C:\Windows\System32\msclmd.dll' instead of the yubico driver, I say normally because at some point it goes back to default :( removed the driver still gets installed at some point even tho I said no...

I am running windows build preview (fast track) but i have had this problem long before the updates....
Hope it helps anyone :)

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented May 1, 2018

don't use a full path there, the default OS value has no path, just a file name, for good reason:
"C:\Windows\SysWOW64\msclmd.dll" is a different binary than "C:\Windows\System32\msclmd.dll"

@fabiopbx

This comment has been minimized.

Copy link

fabiopbx commented May 1, 2018

indeed, the default one, the yubico one does not contain any path, just the dll name, this does work for me as described above however, wrong or not :D

@Aditza2015

@pbatard

This comment has been minimized.

Copy link

pbatard commented Jun 14, 2018

There's a typo in @R-Adrian driver prevention policy. One of the Hardware IDs, the one for a Yubikey 4, is listed as:

  • SCFILTER\CID_59756269b657934

However, it should be:

  • SCFILTER\CID_597562696b657934

In other words, it is missing a 6 before b. The other ID (for Yubikey Neo) is correct.

NB: If you want to make sure that you filter the right ID, just open Device Manager, then select the Yubikey Smart Card and copy the value from Hardware IDs on the Details tab:

image3

Unfortunately, it looks like this typo has also made it into the official Minidriver post on the forum...

@R-Adrian

This comment has been minimized.

Copy link

R-Adrian commented Jun 14, 2018

(if you look closely to my post, you'll see it also has the URL to that forum post... unfortunately i "inherited" the typo from the forum.)

@pbatard

This comment has been minimized.

Copy link

pbatard commented Jul 2, 2018

I see that you edited your post, but unfortunately it appears you did exactly the opposite of what was needed... Currently, it appears that, instead of fixing the typo with SCFILTER\CID_597562696b657934 by adding a '6' before the 'b', you introduced a new typo in SCFILTER\CID_597562696b657934e454f7233 by removing the '6' before the 'b' there. So now, both the IDs are wrong... ouch!

As per the screenshot I attached above, BOTH the IDs will begin with SCFILTER\CID_597562696b657934 and it's 62696b, NOT 6269b. Thanks!

Oh, and by the way, for people who do not want to go through the ordeal of having to filter driver installation, does anybody have any idea how one is supposed to reference an Authenticode code signing certificate stored on a Yubikey 4 or Neo, when using signtool.exe? Without the minidriver, all you had to do was signtool" sign /v /sha1 <SHA-1 of the signing cert> ..., but with the new minidriver, you always run into the The smart card cannot perform the requested operation or the operation requires a different smart card message when trying to do that.

I certainly hope I just haven't managed to figure out how to do just that, because if it turns out that the new minidriver is going to prevent people from using a Yubikey as a safe vault for code signing credentials, then this is a major feature regression as far as I'm concerned...

@emlun

This comment has been minimized.

Copy link
Member

emlun commented Jul 9, 2018

@pbatard Have you tried bringing your questions to Yubico Support?

@pbatard

This comment has been minimized.

Copy link

pbatard commented Jul 9, 2018

Good point. I had been trying to bring it up on the forum, only to realize that the forum had been closed for new posts, so I didn't push further. And I was waiting to see if someone would reply to that question on this tracker. But seeing that it hasn't happened, I will open a support ticket for this when I get a chance.

@pbatard

This comment has been minimized.

Copy link

pbatard commented Jul 17, 2018

Okay, thanks to the very reactive people @ Yubico Support, I finally managed to figure out how to get my Yubikey to work as an Authenticode signing device, with the new Minidriver.

I'm going to document the steps that worked for me, so that they can hopefully help others in the same situation. This is done from a Windows 10 (1803) platform and assumes that you have your .pfx along with its password available:

  1. If you added Local Group Policy driver installation filtering as per above, make sure to remove it.
  2. If the Windows Update Minidriver is installed (Yubikey Smart Card Minidriver under SettingsApps & features) make sure to uninstall it. According to Yubico support, this is an old driver that should not be used.
  3. (Without any Yubikey plugged in) install the latest Smart Card Minidriver, which can be downloaded from here (YubiKey Minidriver 3.7.0.152 at the time of this post). Basically, just unzip the file, right click on the .inf and select Install.
  4. Download the latest Yubikey Manager from here to reset your Yubikey (which is basically the only way I found to remove existing code signing credentials, as mine seemed to ask for a management key that I didn't have to delete them in PIV Manager, even though I had set the PIN as the management key). In order to reset the key:
    • Go to the location where Yubikey Manager is installed (e.g. C:\Program Files\Yubico\YubiKey Manager) and open a command prompt.
    • Run the command ykman piv reset. Of course, you will lose ALL data you have stored on the key.
    • Open PIV Manager, which will detect that the key has been reinitialized, and ask you to set a PIN. Do so.
  5. (As per this document) Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider.
  6. Create two new DWORD (32-bit) Value keys there:
    • AllowPrivateExchangeKeyImport
    • AllowPrivateSignatureKeyImport
  7. Set the value of both these keys to 1
  8. Navigate to the directory where you have you .pfx (e.g. My Credential.pfx) and issue the following command:
    • certutil -csp "Microsoft Base Smart Card Crypto Provider" -importpfx "My Credential.pfx"
  9. You will be prompted first for your .pfx password, then for the Yubikey's PIN, and, after a while, certutil should report: CertUtil: -importPFX command completed successfully.
  10. Unplug and replug your key
  11. If you open PIV Manager, you should be able to confirm that it reports that You have 1 certificate(s) loaded. You will however see that this certificate appears under Authentication and not Digital signature (which is fine).
  12. If needed, in PIV Manager, export the certificate as .crt so that you can access its SHA-1, which is the value listed if you open the CRT under DetailsThumbprint (e.g. 0123456789abcdef0123456789abcdef01234567)
  13. You can now reference that SHA-1 with SignTool, using a command such as
    • "C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\signtool" sign /v /sha1 0123456789abcdef0123456789abcdef01234567 /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp myapp.exe

There you have it. I sure wish all these steps had been detailed on the Yubico forums, and especially the 2 registry keys, because that's information I only managed to get from support.

Oh, and I should also mention one last important point. If you used a relatively recent version of Firefox to retreive the PFX you got from your Authenticode provider, you may want to read on this issue, and especially the openssl commands to convert the credentials you exported to a .pfx that certutil will be happy about. Else you may get a 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE) error...

And yeah, these are a lot of steps (and pitfalls) just to reacquire a capability that used to take one convenient step to achieve in PIV Manager...

@mike-mclaren

This comment has been minimized.

Copy link

mike-mclaren commented Jul 17, 2018

Wanted to say thank you, lots of good info in this thread. We were having similar issues to the above and struggled a bit trying to find a solution. The cards were always recognized, but any changes we made to the cards (new certs, etc.) were not. In fact, we removed all the yubikey certs from the windows store, created new certs on the yubikey, and when we plugged the key back in, the old certs showed back up.

Eventually we stumbled upon this bit all the way at the bottom of the page here: https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html

"For the application to be usable in windows the object CHUID (Card Holder Unique Identifier) has to be set and unique. The card contents are also aggressively cached so the CHUID has to be changed if the card contents change."

I couldn't figure out which "card contents" it was talking about, but generating a new CHUID fixed it. New certs loaded in to windows and everything was well.

Command:
yubico-piv-tool -a set-chuid -k

Hope that helps someone, cheers.

@bjoernv

This comment has been minimized.

Copy link

bjoernv commented Jul 17, 2018

Currently I setup the Yubikey certificates on Linux. Unfortunately the comment from @pbatard uses the Windows tool "certutil". Is there a known way to setup the Yubikey with "yubico-piv-tool" or other Linux tools and later use the Yubikey with the Yubikey Smart Card Minidriver on Windows 10?

@bjoernv

This comment has been minimized.

Copy link

bjoernv commented Jul 27, 2018

Based on tip #24 (comment) and the Yubico documentation Device setup I tried to setup a Yubikey 4 without the Windows Tool "certutil". Tests show, that the certificates work with the new driver (YubiKey Minidriver 3.7.0.152). The Windows registry keys AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport are not needed.

  1. Maybe the Yubikey has already PIN, PUK and management keys. To reinitialize PIN, PUK and management key we need to enter PINs and PUKs multiple times with false values. Attention: certificates will be deleted from Yubikey.
$ yubico-piv-tool -a verify-pin -P 471112
Pin verification failed, 2 tries left before pin is blocked.
$ yubico-piv-tool -a verify-pin -P 471112
Pin verification failed, 1 tries left before pin is blocked.
$ yubico-piv-tool -a verify-pin -P 471112
Pin code blocked, use unblock-pin action to unblock.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
Failed verifying puk code, now 2 tries left before blocked.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
Failed verifying puk code, now 1 tries left before blocked.
$ yubico-piv-tool -a change-puk -P 471112 -N 6756789
The puk code is blocked, you will have to reinitialize the application.
  1. Reset the Yubikey. This step is important
$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: j� �y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
	PIN:	123456
	PUK:	12345678
	Management Key:	010203040506070801020304050607080102030405060708
  1. Create a new management key $key
$ key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
$ echo $key
E9E2CB9936D6511AC36B2C0FE568BB63A806314548C54CB1   (do not use this example key!)
$ yubico-piv-tool -a set-mgm-key --new-key=$key --key=010203040506070801020304050607080102030405060708
  1. Setup PIN and PUK
$ yubico-piv-tool -a change-pin -P 123456 -N <NEW PIN>
$ yubico-piv-tool -a change-puk -P 12345678 -N <NEW PUK>
  1. Copy certificates to slot 9a and 9d with the management key $key. Some other slots (e.g. 9c) will not work.
$ yubico-piv-tool -s 9a -i <certificate1.pfx> -K PKCS12 -p <certificate-password> -a import-key -a import-cert -a set-chuid --key=$key
$ yubico-piv-tool -s 9d -i <certificate2.pfx> -K PKCS12 -p <certificate-password> -a import-key -a import-cert -a set-chuid --key=$key
@emlun

This comment has been minimized.

Copy link
Member

emlun commented Aug 7, 2018

@bjoernv Thanks for sharing your solution. I'd also like to note that you can do all those things with the ykman piv commands as well:

$ ykman piv reset
WARNING! This will delete all stored PIV data and restore factory settings. Proceed? [y/N]: y
Resetting PIV data...
Success! All PIV data have been cleared from your YubiKey.
Your YubiKey now has the default PIN, PUK and Management Key:
        PIN:    123456
        PUK:    12345678
        Management Key: 010203040506070801020304050607080102030405060708

(Getting the PIN blocked is not a prerequisite for ykman piv reset)

$ ykman piv change-pin
Enter your current PIN:
Enter your new PIN:
Repeat for confirmation:
New PIN set.
$ ykman piv change-puk
Enter your current PUK:
Enter your new PUK:
Repeat for confirmation:
New PUK set.
$ ykman piv change-management-key --protect --generate
Enter PIN:
Enter your current management key [blank to use default key]:

The --protect flag here makes the YubiKey store the management key within the onboard storage protected by the PIN, so you'll use the PIN in place of the management key (which is useful if there's no separate admin who needs access to the management key). Leave the --protect flag off to get the generated management key printed to the console instead.

$ ykman piv import-certificate 9a <cert_and_key1.pfx>
$ ykman piv import-key 9a <cert_and_key1.pfx>
$ ykman piv import-certificate 9d <cert_and_key2.pfx>
$ ykman piv import-key 9d <cert_and_key2.pfx>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.