diff --git a/doc/Windows-Certificate.asciidoc b/doc/Windows-Certificate.asciidoc new file mode 100644 index 0000000..764f92e --- /dev/null +++ b/doc/Windows-Certificate.asciidoc @@ -0,0 +1,39 @@ +Request and load a certificate from Windows CA +---------------------------------------------- + +This is a short step-by-step on how to generate a key in the Neo, +create a certificate request, submit that request to a Windows CA +and then load the certificate in the Neo. + +Prerequisites +------------- + +* a YubiKey Neo with the PIV applet loaded +* the yubico-piv-tool software +* credentials to request certs from a Windows CA + +Steps +----- + +1. Generate the key: + + yubico-piv-tool -s 9a -a generate -o public.pem + +2. Request a certificate: + + yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate -S "/CN=example/O=test/" \ + -i public.pem -o request.csr + +3. Submit the request to the Windows CA: + (this step must be run on a windows machine that know about the CA) + + certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt + +4. Load the certificate in the Neo: + + yubico-piv-tool -s 9a -a import-certificate -i cert.crt + +5. For it to be useful in windows a chuid must be set as well: + (only if that wasn't done earlier) + + yubico-piv-tool -a set-chuid