Security Key Integration: Installing a Certificate on a YubiKey

Security Key Integration: Installing a Certificate on a YubiKey

SecureW2’s PKI services offer a variety of certificate authentication solutions. One of them is the ability to enroll and install certificates on Yubico’s YubiKey. An organization that wants to store certificates on their YubiKeys face a few technological barriers before they can do so. SecureW2 provides an organization what they would need to accomplish this solution.

PKI Services

Configuring and managing a robust PKI is often a barrier to those that want to integrate certificate solutions, but the average PKI is rather complex to manage on your own. SecureW2's turnkey private PKI is easily configured and integrates directly onto existing technology infrastructure. Since the customer is utilizing SecureW2's PKI, the management commitment is minuscule compared to a PKI owned by the organization.

Device Onboarding

On their own, certificates are difficult to configure and often stump the average network user if they are forced to self-configure. The JoinNow MultiOS client allows users to self-configure by completing a few simple steps designed for K12 aged students and up. The configuration client can distribute certificates for Windows, macOS, and Linux.

Identity Provider Integration

A major flaw of credential-based security is that any user's credentials can be used by an outside attacker to gain network access and potentially harm the organization. Certificates cannot be removed or transferred once they are distributed to a device and this ties each user and device to a specific network connection. The certificate enrollment process integrates with any identity provider, and our RADIUS authentication services ensure that users connect and re-connect in a secure environment.

SecureW2’s goal is to make it really easy to deploy certificates to PIV-Compatible YubiKeys to a wide variety of operating systems. We offer a cloud-based private PKI solution and enrollment technology to simplify the deployment of certificates to PIV-Compatible YubiKeys. We do this through an easy to use landing page that detects the users operating system and downloads a dissolvable client that validates the users credentials and enrolls for a certificate. Below we highlight what those steps look like for macOS and Windows.

 

Prerequisites

  • Access to the Yubico Drivers “YubiKey Manager” and “YubiKey Smart Card Mini Driver”
  • YubiKey 5 NFC tokens (this integration guide uses the YubiKey 5s, but legacy YubiKeys are supported as well)
  • Active subscriptions to SecureW2 JoinNow MultiOS with PKI Services

 

Installing a Certificate on a YubiKey on macOS

  1. Begin by downloading the Yubikey Manager from here: https://www.yubico.com/products/services-software/download/yubikey-manager/
  2. Install and open Yubikey Manager, and then insert your YubiKey
  3. Navigate to the JoinNow MultiOS Landing PageInitiating the JoinNow MultiOS client for macOS
    The JoinNow landing page automatically detects the end users device and deploys the appropriate client. While this guide shows how it can be used to install a certificate on a YubiKey, end users can use it to easily install certificates that can be used for E-Mail, SSL Inspection, Wi-Fi, VPN and Web App Authentication on any device or browser.
  4. Click JoinNow
    • The enrollment process will begin as the configuration client is downloaded
  5. Once downloading is complete, open the JoinNow client and a new window will open
  6. Click the SecureW2 JoinNow app and click Open in the window that appears
    • The app will open and begin configurationInitiate the login page for macOS
  7. Click Next and the login page will open in a new tab
    • This login page can be configured for use with any LDAP (Active Directory) or SAML (Google Apps, Okta, OneLogin, and all other major vendors) Identity Provider
  8. Enter your organization’s credentials
    • After credentials are validated, you will be redirected back to the JoinNow client
  9. Enter your device credentials to allow JoinNow to configure your device
  10. Next, enter your YubiKey PINEnter your yubikey PIN to confirm the identity of the user
    1. The YubiKey PIN is required to allow JoinNow access to the YubiKey
  11. The JoinNow client will now enroll and configure the YubiKey for a certificate, prompting you to click Done when it’s finished
  12. Open Yubikey Manager and click Applications -> PIV -> Configure Certificates to view the SecureW2 certificate

Details of the certificate downloaded by the user

 

Installing a Certificate on a YubiKey on Windows

First, download the YubiKey Smartcard Mini Driver for Windows from here: https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/

Next, open the SecureW2 JoinNow MultiOS configuration client:

  1. Initiate the configuration process by clicking Next and a login page will open in a new tab
      • This login page can be configured for use with any LDAP (Active Directory) or SAML (Google Apps, Okta, OneLogin, and all other major vendors) Identity Provider

    Begin the enrollment process with the JoinNow Windows client

  2. Enter your organization’s credentials
    • After credentials are validated, you will be redirected back to the JoinNow client
    • In some Identity Providers, you can configure 2-Step Verification with your Security Key, the below screenshot shows this with Google Appsusing multi-factor authentication with Yubikey
  3. After the user’s credentials have been successfully verified, the JoinNow client prompts you to enter your Yubikey pin, then click OK 
    • The JoinNow MultiOS has now finished confirming your identity and will now initiate the certificate enrollment process
  4. Once the client indicates that the user has “Joined” the network, click DoneThe confirmation screen that the device and Yubikey have been successfully configured
  5. Open Yubikey Manager and click Applications -> PIV -> Configure Certificates to view the SecureW2 certificate has successfully installed on your Yubikey

 

Using SecureW2, end users will be able to easily enroll themselves for certificates and have them installed on their YubiKey. If you’d like more information on how we integrate with Yubico to install certificates on the YubiKey smart keys, please contact us using the form below and someone from our team will get you the information you need.

Yubikey is registered trademark of Yubico in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.