YubiKey Enrollment via PIV

Introduction

SecureW2 PKI provides a powerful HSM-based PKI / CA service to certificate-driven security solutions for customers looking to simplify the enrollment, management, and authentication of digital certificates. Organizations using PIV-enabled Yubikey can partner with SecureW2 for easy certificate deployment which can be used for seamless Desktop Login, connection to VPN and so on.

The following guide provides steps to integrate SecureW2 PKI with YubiKeys for certificate deployment.

Prerequisites

The following are the prerequisites for setting up SecureW2 PKI with YubiKey:

1. A YubiKey with a valid YubiKey Root CA.
2. An Active JoinNow CloudPKI account with Smart Card Management subscription.

Creating a Network Profile

To add a network profile, perform the following steps:

1. Navigate to Device Onboarding > Network Profiles.
2. Click Add Network Profile in the Network Profiles page. The Basic screen is displayed.
   
3. In the Network Profile field, enter a name for the network profile.
4. Select the Searchable checkbox to allow this network profile to be searched using the organization code or domain name.
5. From the Wireless Vendor drop-down list, select the wireless vendor used in your organization.
6. From the RADIUS Vendor drop-down list, select the RADIUS vendor used in your organization.
   
   NOTE: Please choose SecureW2 in case you have purchased the SecureW2 CloudRADIUS subscription.
7. Click Next. The Network Profile will be generated.
8. Navigate to the Network Settings section and click Add Network Setting.
9. In the Network Setting Name field, enter a name for the onboarding SSID.
10. From the Type drop-down list, select ENTERPRISE.
11. From the EAP Method drop-down list, select TLS.
12. In the Anonymous Identity field, enter the anonymous identity if this is used for authentication. If the field is left empty, Identity Privacy of the network is configured as Disabled.
    
13. From the Enrollment Type drop-down list, select Cloud.
14. From the Key Size drop-down list, select the required key size.
15. From the Generate Certificate For drop-down list, select the required parameter.
    
16. Enable the Use Smart Card for private key storage button.
17. From the Smart Card drop-down list, select YubiKey.
18. From the Require Touch drop-down list, select
    a. Disabled – If no touch is required to start YubiKey
    b. Enabled – If touch is required to start YubiKey
19. Under the PIN Management section, make the required changes for setting the complexity of PIN:
    a. Prevent Default PIN:  This option is used to prevent the usage of the Default PIN provided by YubiKey so as to ensure that the user enters new PIN..
    b.  Minimum PIN Length: The PIN can contain a minimum of 6 characters and a maximum of 8 characters.
    c. Enforce PIN Complexity: Use this option to apply PIN complexity criteria to the new PIN in case of the Forgot PIN option.
    
20. PUK refers to the PIN Unlock Key and the admin can configure the ways for the user to handle the Forget PIN scenario. Under PUK Management, from the PUK Policy drop-down list, select the required option from:
    a. User Generated – User can change both PIN and PUK in case of the Forget PIN scenario.
    b. Disable PUK – Users can change PIN but not PUK as it will be disabled.Please note this resets the Yubikey.
    c. Autogenerated by Server – User can change PIN. The PUK for the YubiKey will be managed by the SecureW2 server.
    
21. Check the Enable Client Certificate Reuse button for enabling certificate reuse. Configure Existing Certificate Validity Offset and Enable Revocation Check as required.
    
22. Click Save.
23. On the Network Profile page, click on the Advanced tab. Scroll down to the Workflows section.
24. Enable the Check for Existing Valid Certificate field.
25. Uncheck the following fields for uninterrupted seamless Desktop Login:
    – Wireless Configuration
    – Wireless Connect
    – Enable Wired 802.1X
    – Wired Configuration
    
26. Click Update.

Configuring Key Attestation Provider

Key Attestation gives you confidence that the keys you use in your app are stored in a hardwarebacked keystore. To set up a Key Attestation Provider:

1. Navigate to Identity Management > Key Attestation Providers and click Add Key Attestation Provider.
   
2. Enter a name and description for the key attestation provider in the respective fields.
3. From the Type drop-down list, select YubiKey
4. Click Save.
   
5. Click on the Configuration tab.
6. Click the Enable Certificate Chain Validation check-box.
7. Click Choose File. Upload the default YubiKey Root CA (or) your organization-specific Root CA for certificate chain validation.
8. Click Upload and Click Update.
   

Creating a Certificate Template

A certificate template is a blueprint for attributes that must be encoded on a certificate and the certificate’s intended use case.

1. Navigate to PKI > Certificate Authorities.
2. Scroll to the Certificate Templates section and click Add Certificate Template.
   
3. In the Basic section, for the Name field, enter the name of the certificate template.
4. In the Subject field, retain the existing values.
5. In the Display Description field, enter a suitable description for the certificate template.
6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
7. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
   
8. In the SAN section, for the Other Name, RFC822 and the URI fields, retain the default values.
9. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication and Smart Card Logon. Please feel free to select other EKUs as per the business use cases.
   
10. Click Save.

Policy Management

This section describes the configuration process for different policies concerning certificate enrollment. Through Policy Management, diverse rules can be set for each policy, which helps in selecting the correct certificate template for issuing the appropriate certificate to users.

Configuring an Authentication Policy

An Authentication Policy can be created from the Authentication Policies page. If you’ve already set up an authentication policy through Getting Started, you can either edit it with the required values or create a new one.

To create a new Authentication Policy, perform the following steps:

1. Navigate to Policy Management > Authentication Policies.
2. On the Authentication Policies page, click Add Authentication Policy.
   
3. In the Basic section, enter the name of the Authentication Policy in the Name field.
4. In the Display Description field, enter a suitable description for the Authentication Policy.
   
5. Click Save.
6. Click the Conditions tab.
7. In the Profile drop-down list, select the network profile created in the 3. Creating a Network Profile section.
   
8. Click the Settings tab.
9. From the Identity Provider drop-down list, select the IDP required for authentication.
10. Select the Enable User Self Service checkbox, if required.
    
11. Click Update.

Creating a Policy Engine Workflow

1. Go to Policy Management > Policy Engine Workflows.
2. Click Add Policy Engine Workflows.
3. In the Basic section, in the Name field, enter a name for the policy.
4. In the Description field, enter a description for the policy.
5. Click Save.
   
6. On the displayed page, click the Conditions tab.
7. Click Save.The page refreshes and automatically selects the Conditions tab.
8. In the Conditions section, click the Identity Provider drop-down and select the Identity Provider required for authentication.
   
9. Click Update.

Creating a Device Role Policy

Device Role Policy helps in mapping the attestation provider in JoinNow for device attestation.

1. From the JoinNow Management Portal, go to Policy Management > Device Roles Policies.
2. Click Add Device Role Policy.
3. In the Basic tab, for Name, enter a name.
4. For Description, enter a description.
   
5. Click Save. The page refreshes and the Conditions tab opens.
6. Click on the Conditions tab.
7. From the Identity drop-down, select the Key Attestation Provider created in section.
8. Under the Available Slot session, select Slot 9a.
   
9. Click Update.

Creating an Enrollment Policy

1. From the JoinNow Management Portal, go to Policy Management > Enrollment Policies.
2. Click Add Enrollment Policy.
3. In the Basic tab, for Name, enter a name.
4. For Description, enter a description.
   
5. Click Save. The page refreshes and displays the Conditions and Settings tab.
6. In the Conditions section, for Role, select the Policy Engine Workflow policy you created in the 6.2 Creating a Policy Engine Workflow section.
7. For Device Role, select the device role created in the 6.3 Creating a Device Role Policy section.
   
8. Click on the Settings tab.
9. From the Use Certificate Authority drop-down, select the Intermediate Certificate Authority for your organization or an Intermediate CA created for YubiKey.
10. From the Use Certificate Template drop-down, choose the certificate template created for YubiKey enrollment.
    
11. Click Update.

Re-Publishing a Network Profile

Post successful configuration of policies in JoinNow, the Network Profile should be re-published to create the WiFi configuration for each Operating System.

To republish the Network Profile:

1. Navigate to Device Onboarding > Network Profiles.
2. Scroll to the created Network Profile and click Re-publish.
   
3. In the Republish Network Profile pop-up, click Ok. It will take 60 – 90 seconds to republish the network profile.
   
4. Click on the Landing Page icon.
   
5. Click JoinNow to enrol for a certificate.
   

Conclusion

After successfully configuring the above steps, Windows and macOS devices onboarded via the Network Profile Landing Page will be issued client certificates to be deployed on the Yubikeys. Admins can verify certificate issuance status in the JoinNow Management Portal under Data and Monitoring > General Events: