[SmartcardServices-Users] Cannot use my Yubikey Neo
Thomas Westfeld
westfeld at mac.com
Tue Feb 17 12:41:08 PST 2015
>
> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <westfeld at mac.com> wrote:
>
>> Hello everyone,
>>
>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode enabled.
>>
>> I am having problems getting it to work, e.g. showing the certificates of the yubikey in my keychain. I have installed the latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV tokend installed. I am currently running 10.9.5. on it.
>>
>> First of all, wenn I attach the yubikey, my console shows the following:
>>
>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34: com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]: 0xffffffffe00002ed
>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO OTP+CCID 00 00 inserted into system
>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)
>>
>> That does not sound too well. I then restarted the pcscd with the —debug and —apdu flag and reattached the yubikey. this is the lengthy output shown at the end of the post.
>>
>> Now my noob question: what can I do next? It does not seem to work or am I missing something here?
>
> Without spending some time with 800-73, I can’t interpret the detailed dump.
>
> Let me ask you this: Have you actually gone through the initialization/provisioning steps to create a PIV container on the Yubikey? I assume it still comes blank from the factory, so there would not be any “token" in the “reader" for the software to connect with until you create one. They have some free utilities for the purpose, and there should have been a cheat-sheet in the box telling you how to do it.
>
> --
> Henry B. (Hank) Hotz, CISSP http://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Training & Services
>
Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP <hotz at 2ndquadrant.com>:
First of all, thanks for your reply. It took me some time to have a look in more detail. First I used the yubikey NEO manager to activate the PIV applet on the NEO. I then took the following steps:
1. generate private key and selt-signed certificate using openssl:
# openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
2. convert key and cert into p12 file
# openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
3. use homebrew to install yubikey-piv-tool and opensc
4. use the yubikey-piv-tool to load the private key and the cert into the NEO
# yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a import-key -a import-cert
Successfully set new CHUID.
Successfully imported a new private key.
Successfully imported a new certificate.
This at first sounds promising, however I get the very same error messages and the yubikey PIV module does not appear in Keychain.
Am I missing anything ?
Thanks in advance.
More information about the SmartcardServices-Users
mailing list