x509certificatesmartcardyubicoyubikey
Yubikey PIV "The smartcard cannot perform the requested operation."
I am trying to use a Yubikey to authenticate with Microsoft's AAD CBA however when I connect the Yubikey I get the error:
The Smart card cannot perform the requested operation or the operation requires a different smart card
To troubleshoot I have made sure the certificate is in the yubikey using Yubico's tool:
as well as verified that the yubikey smart card minidriver is installed in the PC's Device manager.
I did notice that also the Microsoft USbccid smartcard read was added to the device manager when the Yubikey was connected.
Any guidance if this is a driver issue or something else I should look at would be appreciated.
Edit: Following the troubleshooting of this page https://github.com/Yubico/yubikey-piv-manager/issues/24 I changed the yubikey registry keys to use msclmd.dll instead of the yubikey minidriver and was able was able to get certutil info to recognize the certificate. There
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105 [Default Container]
No AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Serial Number: 2000000015eb9e5f830f3b8636000000000015
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert Hash(sha1): aae49e206c1fbcac5595e966bb806558317f0518
Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105
Provider = Microsoft Base Smart Card Crypto Provider
ProviderType = 1
Flags = 1
0x1 (1)
KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Serial: 2000000015eb9e5f830f3b8636000000000015
SubjectAltName: Other Name:Principal [email protected]
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert: aae49e206c1fbcac5595e966bb806558317f0518
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/23/2022 10:09 PM
NotAfter: 7/23/2027 10:19 PM
Subject: CN=same-CA, DC=same, DC=domain
Serial: 22186ead3636cda04a63b3d2357bc2e7
Cert: b64f289bdf0fe3bb54638a928a5e8c37f1418931
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
Chain: aae49e206c1fbcac5595e966bb806558317f0518
Full chain:
Chain: 4be2869ed0c351f6686e3aaf16fd4f5d8b715a50
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Serial: 2000000015eb9e5f830f3b8636000000000015
SubjectAltName: Other Name:Principal [email protected]
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert: aae49e206c1fbcac5595e966bb806558317f0518
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = 36736414-a18e-4d23-add2-a9c7515fc105
Cannot open the key for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
However as you can see it says that it cannot find the second certificate (idk what certificate is stored in that container since I am just using 9a). and I still get the same error with AAD CBA.
Solution
After Contacting Yubico Support it was discovered that this was caused by changing the Management Key. The Yubico Minidriver expects the management Key to be the default and it protects it with the PIN. Re-installing the minidriver and leaving the default management fixed the issue.
- How to get subject hash of a PEM certificate
- New-SelfSignedCertificate to TrustedPublishers does not work
- Problem loading a serveer certificate in .p12 format with a AES-256-CBC
- Switch to Certificated-based authentication for importing VisualSVN repository seed (`Access is denied`)
- Using Java to Encrypt a private key
- Getting correct SignerInfos of a file via Powershell?
- Consume a webservice - WS Security
- How to verify MSSQL signbycert in NodeJS
- Why is it recommended to make separate device certificates for connecting to AWS IoT Core MQTT endpoint?
- Install User Certificate Via ADB
- C# import certificate and key (PFX) into CNG/KSP
- Error Importing SSL certificate : Not an X.509 Certificate
- I get Error when I call get API with certificate
- Cannot create Microsoft Graph API subscription using self signed C# X509Certificate2
- Certificate issue when Connecting with Azure Service Management API
- What does the 'Z' mean in Unix timestamp '120314170138Z'?
- Does WCF do CRL/OCSP certificate checking?
- c# X509Certificate2 add certificate how mark as exportable
- Get chain or CA issuer from x509 certificate using OpenSSL CLI
- Python cryptography.x509 : Verification of an x509 cert generated by python x509 module which is signed by a CA (not a root) fails
- Load X509 certificate from disk .Net Core
- Kubernetes: expired certificate
- Yubikey PIV "The smartcard cannot perform the requested operation."
- Received fatal alert: bad_certificate
- openssl: try to load local ca store
- How can I load a .pem certificate in c# from file?
- In PHP openssl, how to get public certificate PEM for website?
- How to create a single line x509 certificate that can be parsed by OpenSSL commandline tool
- Clarification on the Location where CRL URL should be Obtained in CRL Validation of X509 Certificates
- How to convert BouncyCastle X509Certificate to .NET Standard X509Certificate2 while retaining the private key?