Appterix
Menu
Skip to main content
How can we help?
Table of Contents
<All topics
Print

Using new and custom certificate templates for Appterix YubiKey Enrollment

The challenge

Enrolling certificates on YubiKeys for the PIV function can be time-consuming and error-prone. Often, either no certificate templates for smartcard logon to Windows exist, or users cannot execute them themselves for certificate enrollment on their YubiKey.

solution

Appterix offers the ability to automatically generate PKI certificates. Administrators determine whether Appterix should create the certificate templates or use existing smartcard logon and enrollment agent templates. Users receive a pop-up notification or can create and renew the certificates based on these templates using YubiKey enrollment within the Appterix agent.

Video Tutorial

This video shows you how to set up the certificate templates and connect to Active Directory Certificate Services (ADCS) for the YubiKey PIV function in Appterix YubiKey LifeCycle Management.

Watch the video: https://youtu.be/pvvvRTO01Ic

Note regarding the crypto service provider

Appterix supports certificate templates using Key Storage Providers (KSPs). Legacy Crypto Service Providers (CSPs) are not supported.

Switching from a legacy Crypto Service Provider (CSP) to a Key Storage Provider (KSP) is a crucial step if you want to take advantage of modern security features such as TPM protection or elliptic curves.

With the "Enrollment Agent" template, this is somewhat hidden when duplicating, as the compatibility settings determine which options are enabled in the "Cryptography" tab.

Change of provider category

Here you will find step-by-step instructions for changing the provider category:

Adjust compatibility settings:
This is the most important step. If compatibility is set to "Windows Server 2003", the console will only allow the older CSPs.
Right-click the Registration Agent template and select Duplicate Template.
Switch to the Compatibility tab.
Set the certification authority to at least Windows Server 2012 (or higher).
Also set the certificate recipient to at least Windows 8 / Windows Server 2012.
Confirm the warning message regarding the changes with "OK".

Switch provider category to KSP:
Switch to the Cryptography tab.
Open the dropdown menu under Provider Category.
Select Key Storage Provider there.
In the field below, select the desired algorithm (usually RSA or ECDH_P256, depending on the requirements).
In the list of providers, you can now select specific KSPs, such as the Microsoft Software Key Storage Provider.

Important note: Ensure that the clients intended to use this template (i.e., the administrators' workstations requesting certificates on their behalf) actually support the selected Windows version. Older systems (such as Windows 7) cannot handle KSP-based templates.

Published
Updated
FromEgoMind
Keywords