Request and load a certificate from Windows CA ---------------------------------------------- This is a short step-by-step on how to generate a key in the, create a certificate request, submit that request to a Windows CA and then load the certificate in the. Prerequisites ------------- * a YubiKey with the PIV application loaded * the yubico-piv-tool software * credentials to request certs from a Windows CA Steps ----- 1. Generate the key: (--key[=STRING] is needed if the management key value is no longer the default value) yubico-piv-tool -s 9a -a generate -o public.pem --key[=STRING] 2. Request a certificate: yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \ -S "/CN=example/O=test/" -i public.pem -o request.csr 3. Submit the request to the Windows CA: (this step must be run on a windows machine that know about the CA) certreq -submit -attrib "CertificateTemplate:User" request.csr cert.crt 4. Load the certificate in the: (--key[=STRING] is needed if the management key value is not the default value) yubico-piv-tool -s 9a -a import-certificate -i cert.crt --key[=STRING] 5. For it to be useful in windows a chuid must be set as well: (only if that wasn't done earlier) (--key[=STRING] is needed if the management key value is no longer the default value) yubico-piv-tool -a set-chuid --key[=STRING]