ykman - housekeeping of old/expired certificates

[bauerstefan]

• YubiKey Manager (ykman) version: latest
• How was it installed?: Clicking yubikey-manager-qt-latest-win64.exe
• Operating system and version: Windows 11 latest stable
• YubiKey model and version: 5 NFC, tested with several sticks
• Bug description summary:
  After renewing a certificate from internal windows CA, the stick holds several (old and new) certificates in different slots. Please allow to delete expired certificates without specific certificate.

Reason: We are using openvpn with pkcs11 and user gets prompted to select certificate to use. If there would only be single (the valid) certificate, user would not get bothered at all.

Steps to reproduce

do a certreq enroll Yubikey (or whatever the name of your windows CA template is)
Load a key on the stick.
Repeat the step to load another cert onto youbikey.

Use application that uses certificates. Check offered certificates or check existing certificates with ykman on console to notice, there are even older / expired certs on the stick.

Expected result

Have a single command to delete all expired certificates on keys or have a way to replace existing certificate in specific slot during 'certreq enroll" process'.

Actual results and logs

---

[dainnilsson]

There's a lot of different software components at play here and I'm not sure what exactly would be in scope for ykman. When issuing a new certificate you should be able to re-use an existing private key slot and then just overwriting the expired certificate, rather than using a new slot. If you have third party software that is managing these slots for you then I'd say that it's that software that should be responsible for cleaning up old keys/certificates, not ykman.

While it would be technically possible to add a command to delete expired certificates to ykman, I don't really think it adds that much over the existing functionality to delete certificates one at a time to the CLI itself. It should be pretty easy to script such behavior thought!

[bauerstefan]

Hi Dain,

thank you for your reply. I reported the issue here, as this is a sub-component of Yubico and to my understanding, related. We are not using any third party software. We are following strictly Yubico's official documentation to set up Windows Server for YubiKey PIV Authentication[1]. Regarding your comment to "re-use an existing private key slot and then just overwriting the expired certificate", the official statement from Yubico here is[2] to not use the same private key ("Ensure the option to Renew with the same key is not selected.).

Further clarification is much appreciated to workaround the reported problem.

Thank you.

[1] https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication
[2] https://support.yubico.com/hc/en-us/articles/360015668979-Setting-up-Smart-Card-Login-for-User-Self-Enrollment

[dainnilsson]

Hi,

"Third party" was a bad choice of words. I was including Windows components here, but really meant "components other than ykman". I think your question here should be directed to Yubico support instead as it sounds like you are looking for guidance or perhaps changes to other tools than ykman.