.. md_root-certificates.rst

.. _md-root-certificates-label:

==========================================
Working with Enterprise Root Certificates
==========================================

For a standard forest, Windows can manage the trust chain for the YubiKey smart card authentication automatically. However, in situations where there may not be a direct connection between the Windows computer and the server with the Certification Authority, loading the Root Certificate on a YubiKey can bridge the gap for the initial registration. Common situations covered are: including systems on a multi-forest domain, users logging onto domain accounts from non-domain systems, or deployments adding new systems to a domain using a smart card for authentication.

Adding an Enterprise Root Certificate to the YubiKey
=====================================================

1. Right-click the Windows **Start** button and select **Windows PowerShell (admin)** or **Command Prompt (Administrator)**, depending on your Windows build.

2. Type in the following command and press **Enter**:

   .. code-block:: bash

      certutil -scroots update

3. When prompted for your Windows Security PIN, enter the PIN for your smart card and then press **Enter**.

4. To verify both the smart card certificate and the root certificate are loaded to the smart card, type in the following command and then press **Enter**:

   .. code-block:: bash

      certutil -scinfo

5. You are prompted to enter your smart card PIN several times. Enter it each time it is requested.

Manually Delete Certificates
==============================

To delete certificates from a certificate chain manually, including a Base CSP container and associated key and certificate on the YubiKey 4 or YubiKey NEO through the YubiKey Minidriver, use the ``certutil`` command line program. To list the current containers on the card use the command:

.. code-block:: bash

   certutil -key -csp "Microsoft Base Smart Card Crypto Provider"


This returns a list of container names and key types. To remove a container cleanly, use the following command while running with elevated permissions as administrator:

.. code-block:: bash

   certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "<container name>"