-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ykman - housekeeping of old/expired certificates #633
Comments
There's a lot of different software components at play here and I'm not sure what exactly would be in scope for ykman. When issuing a new certificate you should be able to re-use an existing private key slot and then just overwriting the expired certificate, rather than using a new slot. If you have third party software that is managing these slots for you then I'd say that it's that software that should be responsible for cleaning up old keys/certificates, not ykman. While it would be technically possible to add a command to delete expired certificates to ykman, I don't really think it adds that much over the existing functionality to delete certificates one at a time to the CLI itself. It should be pretty easy to script such behavior thought! |
Hi Dain, thank you for your reply. I reported the issue here, as this is a sub-component of Yubico and to my understanding, related. We are not using any third party software. We are following strictly Yubico's official documentation to set up Windows Server for YubiKey PIV Authentication[1]. Regarding your comment to "re-use an existing private key slot and then just overwriting the expired certificate", the official statement from Yubico here is[2] to not use the same private key ("Ensure the option to Renew with the same key is not selected.). Further clarification is much appreciated to workaround the reported problem. Thank you. [1] https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication |
Hi, "Third party" was a bad choice of words. I was including Windows components here, but really meant "components other than ykman". I think your question here should be directed to Yubico support instead as it sounds like you are looking for guidance or perhaps changes to other tools than ykman. |
After renewing a certificate from internal windows CA, the stick holds several (old and new) certificates in different slots. Please allow to delete expired certificates without specific certificate.
Reason: We are using openvpn with pkcs11 and user gets prompted to select certificate to use. If there would only be single (the valid) certificate, user would not get bothered at all.
Steps to reproduce
do a certreq enroll Yubikey (or whatever the name of your windows CA template is)
Load a key on the stick.
Repeat the step to load another cert onto youbikey.
Use application that uses certificates. Check offered certificates or check existing certificates with ykman on console to notice, there are even older / expired certs on the stick.
Expected result
Have a single command to delete all expired certificates on keys or have a way to replace existing certificate in specific slot during 'certreq enroll" process'.
Actual results and logs
The text was updated successfully, but these errors were encountered: