No certificate in certmgr despite it being present on the key about wincryptsshagent HOT 7 OPEN

It didn't work for me (even after enabling the policy and rebooting)

from wincryptsshagent.

Are you using the Yubico MiniDriver for your key or the default Windows card services driver? Check your Device Manager and see how the key is listed.

from wincryptsshagent.

https://www.yubico.com/authentication-standards/smart-card/

YubiKey smart card minidriver

The YubiKey Smart Card Minidriver provides additional smart functionality; certificate and PIN management via the native Windows user interface, support for ECC key algorithms, set touch policy for private key use.

Minidriver for Windows OS

A Minidriver for the Windows OS that allows smart card management in the native Windows interface and adds support for ECC key algorithms. Download the YubiKey Smart Card Minidriver from our downloads page.

from wincryptsshagent.

Please try to use RSA2048 instead of ECCP384 to generate key pairs and certificates. Some settings may cause the ECC certificate to be unusable.
See also:

• https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration
• https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartCard::EnumerateECCCerts

from wincryptsshagent.

Ran into this today as well, created a PR #44 to add a note about this in the documentation. After enabling ECC keys it worked.

from wincryptsshagent.

@dschaper The default I think, I didn't install anything from Yubico, except ykman (it's a fresh Windows install)

from wincryptsshagent.

Same Issue here.

PS C:\Users\GottZ> yubico-piv-tool.exe -a status
Version:        5.2.7
Serial Number:  12509791
CHUID:  No data available
CCC:    No data available
Slot 9a:
        Algorithm:      ECCP384
        Subject DN:     CN=SSH key
        Issuer DN:      CN=SSH key
        Fingerprint:    1e39e4d7562a984d7f82f60638bcb2e2db83f9a4a7c39a369b30053de22c2518
        Not Before:     Sep 23 09:55:54 2021 GMT
        Not After:      Sep 23 09:55:54 2022 GMT
PIN tries left: 3

PS C:\Users\GottZ> ykman piv info
PIV version: 5.2.7
PIN tries remaining: 3
Management key algorithm: TDES
Management key is stored on the YubiKey, protected by PIN.
CHUID:  No data available.
CCC:    No data available.
Slot 9a:
        Algorithm:      ECCP384
        Subject DN:     CN=SSH key
        Issuer DN:      CN=SSH key
        Serial:         16774689833571667083
        Fingerprint:    1e39e4d7562a984d7f82f60638bcb2e2db83f9a4a7c39a369b30053de22c2518
        Not before:     2021-09-23 09:55:54
        Not after:      2022-09-23 09:55:54

PS C:\Users\GottZ> ssh-add -s "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll"
Enter passphrase for PKCS#11:
Could not add card "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll": agent refused operation

certmgr.msc doesn't list the key either.

EnumerateECCCerts is set to 1

device manager lists it properly as smartcard

I'm on Windows 11 Pro
OpenSSH is not started. I can't get libykcs11.dll to work with it either.

I have no problems using this key with PIV on a native Archlinux installation.

ssh-add -L should spit out my ecdsa-sha2-nistp384 key from the yubikey but does not.

I do have gpg4win installed but no daemon is running right now.

from wincryptsshagent.