Yubikey - Silently Enroll PIV Using Certreq
Published: Windows Estimated reading time: ~2 minutes
Yubikey - Silently enroll PIV using certreq
This will allow a Yubikey to be silently enrolled for a CA cert from AD without user intervention. Of course, we would want to prompt a user for their PIN first, then use that for the enrollment.
Additionally, the default PUK and Management key should be changed.
REM This method required the Yubico MiniDriver to be installed on the enrollment station
REM To do this silently, ensure that the Certificate Template is set to "Enroll subject without requiring any user input" on the "Request Handling" tab of the Certificate Template's Properties.
REM The default PIN code is 123456.
REM The default PUK code is 12345678.
REM The default 3DES management key (9B) is 010203040506070801020304050607080102030405060708.
REM Clear the yubikey
yubico-piv-tool.exe -a verify-pin -P 999999
yubico-piv-tool.exe -a verify-pin -P 999999
yubico-piv-tool.exe -a verify-pin -P 999999
yubico-piv-tool.exe -a verify-pin -P 999999
yubico-piv-tool -a change-puk -P 471112 -N 6756789
yubico-piv-tool -a change-puk -P 471112 -N 6756789
yubico-piv-tool -a change-puk -P 471112 -N 6756789
yubico-piv-tool -a change-puk -P 471112 -N 6756789
yubico-piv-tool -a reset
REM Set the CHUID
yubico-piv-tool -a set-chuid
REM Assign a new PIN (654321) to the Yubikey
yubico-piv-tool -a change-pin -P 123456 -N 654321
REM Silently enroll a new cert on the key
REM Run the following for an explanation of the switches used
REM certreq -Enroll -?
certreq -Enroll -pin 654321 -config "MyCAServer\MyCAInstance" -f -q -v MyYubikeyCertificateTemplate
REM The certificate is automatically put into slot 9a on the inserted Yubikey
Developer.