Working with Enterprise Root Certificates
For a standard forest, Windows can manage the trust chain for the YubiKey smart card authentication automatically. However, in situations where there may not be a direct connection between the Windows computer and the server with the Certification Authority, loading the Root Certificate on a YubiKey can bridge the gap for the initial registration. Common situations covered are: including systems on a multi-forest domain, users logging onto domain accounts from non-domain systems, or deployments adding new systems to a domain using a smart card for authentication.
Adding an Enterprise Root Certificate to the YubiKey
Right-click the Windows Start button and select Windows PowerShell (admin) or Command Prompt (Administrator), depending on your Windows build.
Type in the following command and press Enter:
certutil -scroots update
When prompted for your Windows Security PIN, enter the PIN for your smart card and then press Enter.
To verify both the smart card certificate and the root certificate are loaded to the smart card, type in the following command and then press Enter:
certutil -scinfo
You are prompted to enter your smart card PIN several times. Enter it each time it is requested.
Manually Delete Certificates
To delete certificates from a certificate chain manually, including a Base CSP container and associated key and certificate on the YubiKey 4 or YubiKey NEO through the YubiKey Minidriver, use the certutil
command line program. To list the current containers on the card use the command:
certutil -key -csp "Microsoft Base Smart Card Crypto Provider"
This returns a list of container names and key types. To remove a container cleanly, use the following command while running with elevated permissions as administrator:
certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider" "<container name>"