Cannot read the certificate from the card? 无法从智能卡中读取证书？

Question

Cannot read the certificate from the card? 无法从智能卡中读取证书？

acha666 opened this issue 3 years ago · comments

I followed the Yubikey with WSL tutorial
and I generated a private key and a certificate for 9a slot of my yubikey
but when I repluged the yubikey, I cannot find my ceritificate in certmgr.msc(Group Policy is edited)
I runed certutil -scinfo , and it showed the result:

我按照 Yubikey with WSL tutorial
为我的Yubikey slot 9a生成了私钥和证书
但是我拔插yubikey后，证书存储中没有显示我的证书（组策略已经修改）
以下是运行certutil -scinfo的结果

C:\Users\x>certutil -scinfo
Microsoft 智能卡资源管理器正在运行。
当前读卡器/卡状态:
读卡机: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
--- 状态: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- 状态: 此卡可用。
---   卡: Identity Device (NIST SP 800-73 [PIV])
---    ATR:
         xxxx


=======================================================
正在分析读卡器中的卡: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ 证书 0 ================
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
---   卡: Identity Device (NIST SP 800-73 [PIV])
提供程序 = Microsoft Base Smart Card Crypto Provider
密钥容器 = (null) [默认容器]

无法打开读卡器的 AT_SIGNATURE 密钥: Yubico YubiKey OTP+FIDO+CCID 0
无法打开读卡器的 AT_KEYEXCHANGE 密钥: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ 证书 0 ================
--- 读卡器: Yubico YubiKey OTP+FIDO+CCID 0
---   卡: Identity Device (NIST SP 800-73 [PIV])
提供程序 = Microsoft Smart Card Key Storage Provider
密钥容器 = (null) [默认容器]

无法打开读卡器的  密钥: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

完成。
CertUtil: -SCInfo 命令成功完成。

Acha · Answer 1 · Tue Jun 29 2021 10:55:39 GMT+0800 (China Standard Time)

I tried to use RSA2048 to generate the key and it works...

Alexis Vézina · Answer 2 · Fri Jul 02 2021 23:54:23 GMT+0800 (China Standard Time)

yeah, the default windows smartcard driver can only see RSA keys. You need yubikey's driver to see the other type.

Acha · Answer 3 · Sat Jul 03 2021 19:52:35 GMT+0800 (China Standard Time)

yeah, the default windows smartcard driver can only see RSA keys. You need yubikey's driver to see the other type.

Thanks, i'll try it.

Acha · Answer 4 · Sat Jul 03 2021 20:09:09 GMT+0800 (China Standard Time)

yeah, the default windows smartcard driver can only see RSA keys. You need yubikey's driver to see the other type.

yeah, the default windows smartcard driver can only see RSA keys. You need yubikey's driver to see the other type.

Thanks, i'll try it.

I try to install the YubiKey Smart Card Minidriver and it works.
Now I'm able to work with ECC algorithm certificates.
Thank you very much!
(I'll make a PR to add this information to the document later)

在安装了YubiKey Smart Card Minidriver 之后，ECC证书得到了正常的加载。