Security Key Integration: Installing a Certificate on a YubiKey

Security Key Integration: Installing a Certificate on a YubiKey

IT organizations that want to leverage PIV and store their certificates on YubiKeys need key security components to make deployments easier. SecureW2 bundles together turnkey PKI services, onboarding software for end users to enroll for certificates, and authentication services.

1. Key Benefits

1.A. PKI Services

Our turnkey private PKI is easy to configure, and integrates directly on to your existing technology infrastructure. Organizations utilizing SecureW2’s HSM (Hardware Security Module) enabled PKIs, find that the ongoing management commitment is minuscule compared to other PKI solutions.

1.B. YubiKey Onboarding

Certificate enrollment can be a tedious and difficult process which often stumps the average user. The JoinNow MultiOS onboarding software allows users to self-configure via a few simple steps designed for a user uninitiated with certificates. The self-service software can enforce PIN and PUK requirements then enroll certificates for Windows, macOS, and Linux by asking the user to provide their identity via AD/LDAP or SAML (Google Apps, Azure, ADFS, Okta, Onelogin, etc). Finally, key services for certificate use, like desktop login, VPN and Wi-Fi can also be provisioned for the user during the enrollment process.

1.C. Authentication Services

Our certificate services integrates seamlessly with our RADIUS authentication service so functions like VPN, Wi-Fi and Web authentication can utilize PIV enabled Yubikeys. The authentication service incorporates a robust policy engine which identity integration into AD, GoogleApps, Okta, Azure and more.


2. Admin Setup

2.A. Setup PKI Services or Use an Existing PKI

SecureW2 offers the unique ability to easily issue and configure YubiKeys for certificates. Designed from the ground up to be vendor neutral, you can use SecureW2’s turnkey PKI Services or an existing PKI to enroll YubiKeys for certificates. This page will showcase how SecureW2’s PKI is configured for Security Key certificate auto-enrollment.

2.B. Getting Started in SecureW2

In our Management Portal, everything that’s needed to enroll a YubiKey for a certificate can be done using our Getting Started Wizard. Configure the Wizard with the following settings:

  1. Choose your Identity Provider
    1. SecureW2 supports Google, Active Directory, Okta, LDAP and every other major Identity Provider to authenticate users for certificate enrollment. Specify your IDP here.
  2. PIN / PUK Requirements
    1. Ensuring YubiKeys aren’t using default PIN and PUKs are extremely important. Configure your organization’s security policies regarding PIN/PUK here.
  3. Certificate Template
    1. Our PKI Services empower organizations to generate custom certificates for Desktop Login, VPN, Wi-Fi, and more. Specify the application of your certificate here.
  4. Run the Wizard
    1. After configure the settings above, run the Wizard and it will configure everything required to configure your YubiKeys for certificates.

2.C. Generate the Onboarding Page for YubiKey Self-Enrollment

After the Getting Started Wizard has finished, a landing page will be generated. This is where you will instruct your end users to navigate to, so they can self-service their YubiKeys for certificates. Every aspect of this page is completely customizable. If you’d like to learn more, please contact us for more information.

To get your landing page:

  1. Navigate to Network Profiles and click View
    1. You will be taken to the JoinNow Landing Page, which automatically detects the device’s Operating System and deploys the appropriate client to configure their YubiKey
  2. Copy this URL and instruct end users to navigate to the page

There’s many other features you can configure in SecureW2, but the steps above outline the minimum setup required to start configuring YubiKeys for Certificates


3. YubiKey Certificate Enrollment User Flow

The steps below outline how end users can self-enroll themselves for unique certificates for their YubiKeys, using a macOS or Windows device.

macOS

  1. Download the YubiKey Manager: https://www.yubico.com/products/services-software/download/yubikey-manager/
  2. After you download and install the YubiKey Manager, reboot your computer.
  3. Open YubiKey Manager, and then insert your YubiKey.
  4. Go to the JoinNow MultiOS Landing Page.
  5. Click JoinNow and the JoinNow client will download.
  6. Click the SecureW2 JoinNow app and click Open in the window that appears and the JoinNow client will begin configuration.

Enter or Reset PIN/PUK

Ensuring YubiKeys aren’t using default PIN and PUKs are extremely important. The JoinNow client can enforce any PIN / PUK complexity rules, detect if the user is using a default PIN/PUK, and prevent certificate enrollment until they have configured a secure and unique PIN/PUK.

If you have forgotten, or need to reset your PIN, follow the steps below:

  1. In the SecureW2 client, click Forgot PIN?
  2. You’re prompted to use my (default) PUK or Reset your Yubikey.
    1. If you choose use my (default) PUK:
      1. Enter your PUK.
      2. Upon successful authentication, a new screen appears. This screen notifies you that resetting your YubiKey will erase all existing information stored on the YubiKey.
      3. Enter your new PIN and PUK, and then click Next.
      4. A screen appears confirming you’ve set a new PIN and PUK.
      5. Certificate enrollment resumes per the instructions in the next section.
    2. If you choose Reset your YubiKey:
      1. A new screen appears. This screen notifies you that resetting your YubiKey will erase all existing information stored on the YubiKey.
      2. Enter your new PIN and PUK, and then click Next.
      3. A screen appears confirming you’ve set a new PIN and PUK.
      4. Certificate enrollment resumes per the instructions in the next section.
    3. Note: If you enter your default PIN/PUK, you’ll be prompted to reset your YubiKey.

Certificate Enrollment and Installation

After the client has ensured the YubiKey has a secure PIN, users can begin the certificate enrollment and installation process.

  1. Click Next and the login page will open in a new tab.
    1. This login page can be configured for use with any LDAP (Active Directory) or SAML (Google Apps, Okta, OneLogin, and other major vendors) Identity Provider.
  2. Enter your organization’s credentials. Once the credentials are validated, you’re returned to the JoinNow client.
  3. Enter your device credentials to allow JoinNow to configure your device.
  4. The JoinNow client will now enroll and configure the YubiKey for a certificate.
    1. When it finishes, click Done.
  5. Open the Yubikey Manager and click Applications -> PIV -> Configure Certificates to verify the SecureW2 certificate successfully installed on your YubiKey.

Windows

  1. Download the YubiKey Smartcard Mini Driver for Windows: https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/
    1. Click here for Yubico’s documentation on installing the Mini Driver
    2. After you download and install the driver, reboot your computer.
  2. Navigate to your organization’s JoinNow landing page, and click JoinNow to download the client.
  3. Open the .exe file that is downloaded to begin the configuration process.

Enter or Reset PIN/PUK

Ensuring YubiKeys aren’t using default PIN and PUKs are extremely important. The JoinNow client can enforce any PIN / PUK complexity rules, detect if the user is using a default PIN/PUK, and prevent certificate enrollment until they have configured a secure and unique PIN/PUK.

If you have forgotten, or need to reset your PIN, follow the steps below:

  1. In the SecureW2 client, click Setup YubiKey / Forgot PIN.
  2. You’re prompted to Use PUK or Reset YubiKey.
    1. If you choose Use PUK:
      1. Enter your PUK.
      2. Upon successful authentication, a new screen appears prompting you to enter your new PIN and PUK.
      3. Enter your new PIN and PUK, and then click Next.
      4. A screen appears confirming you’ve set a new PIN and PUK.
      5. Certificate enrollment resumes per the instructions in the next section.
    2. If you choose Reset YubiKey:
      1. A new screen appears. This screen notifies you that resetting your YubiKey will erase all existing information stored on the YubiKey.
      2. Enter your new PIN and PUK, and then click Next.
      3. A screen appears confirming you’ve set a new PIN and PUK.
      4. Certificate enrollment resumes per the instructions in the next section.
    3. Note: If you enter your default PIN/PUK, you’ll be prompted to reset your YubiKey.

Certificate Enrollment and Installation

After the client has ensured the YubiKey has a secure PIN, users can begin the certificate enrollment and installation process.

  1. Click Next and a login page will open in a new tab. This login page can be configured for use with any LDAP (Active Directory) or SAML (Google Apps, Okta, OneLogin, and other major vendors) Identity Provider.
  2. Enter your organization’s credentials. Once the credentials are validated, you’re returned to the JoinNow client.
  3. The JoinNow client will now enroll and configure the YubiKey for a certificate. When it indicates you’ve joined the network, click Done.
  4. Open the Yubikey Manager and click Applications -> PIV -> Configure Certificates to verify the SecureW2 certificate successfully installed on your YubiKey.

Interested in receiving pricing information regarding our Security Key Solutions?

Yubikey is registered trademark of Yubico in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.