I had a requirement to test Yubikey 5 with PIV for Windows smartcard authentication. There’s four slots for certificates 9a, 9c, 9d and 9e and by default a, d and e work for user authentication, while 9c requires minidriver to work. I wanted to deploy 4 certificates, with iterated names to confirm if slots work and if in fact 9c doesn’t work without minidriver. I used PowerShell to generate certificates:
$baseName = "wojciechjakubowski"
$certPath = "Cert:\CurrentUser\My"
for ($i = 1; $i -le 4; $i++) {
$subject = "CN=$baseName$i"
$cert = New-SelfSignedCertificate -Subject $subject `
-KeyUsage DigitalSignature `
-Type Custom `
-TextExtension @("2.5.29.37={text}1.3.6.1.4.1.311.20.2.2") `
-CertStoreLocation $certPath
$pwd = ConvertTo-SecureString -String "123" -Force -AsPlainText
$file = "$baseName$i.pfx"
Export-PfxCertificate -Cert $cert -FilePath "C:\temp\$file" -Password $pwd
}
1.3.6.1.4.1.311.20.2.2 is an OID for smart card logon, which was something I wanted to test, but you can replace or add EKUs using below common OIDs to test against other purposes:
1.3.6.1.5.5.7.3.2 – Client Authentication1.3.6.1.5.5.7.3.1 – Server Authentication1.3.6.1.5.5.7.3.3 – Code Signing1.3.6.1.4.1.311.20.2.2 – Smart Card Logon1.3.6.1.4.1.311.10.3.12 – Document Signing
For what it’s worth, I confirmed that 9c is not showing up without minidriver and it does show up with minidriver installed.
Leave a Reply