Enroll certificates to Yubikeys

Pointsharp ID Server provides certificate enrollment for Yubikeys. This allows a user with access to User Portal to enroll and revoke a certificate on a Yubikey in combination with the Net iD Client.

A Yubikey is a physical device that stores cryptographic keys and requires user presence (for example, a touch or a PIN) to authorize actions. It is primarily used for user-to-application authentication (for example, a person logging into a website or a corporate network).

Requirements:

  • A Pointsharp ID Server with User Portal must be in place before starting this configuration.

  • Net iD Client installed on the computer doing the enrollment.

PSID Admin GUI Configuration

Open the PSID Admin GUI on the Pointsharp ID Server and follow these steps:

  1. Open the tab Tokens.

  2. Click Certificate listed under General Settings.

  3. CA Name: Add the Certificate CA Name.

  4. Certificate Template: Add the name of the certificate templates to be used for enrollment on the above-mentioned CA Server.

  5. Click Apply to save changes.

  6. Go to tab General and click Restart to inject the changes into the configuration.

Add Certificate option in User Portal

There are two options to make this feature visible for end users in User Portal.

Option 1

  1. Open the IIS Manager on the Pointsharp ID Server.

  2. Expand the Default Web Site and click UserPortal.

  3. Click Application Settings in the top row of the middle section of the IIS Manager GUI.

  4. Locate the value SECURITY_TOKEN_SELECTABLE_TYPES.

  5. Add ,Certificate at the end of the value that lists all token variations.

  6. Reload User Portal Website and it should now be visible under Security Token and Add New.

Option 2

  1. Open the File Explorer and go to C:\Program Files\PointSharp\UserPortal.

  2. Locate the web.config file and open it in Notepad (must be as an admin).

  3. Locate the value SECURITY_TOKEN_SELECTABLE_TYPES.

  4. Add ,Certificate at the end of the string.

  5. Reload User Portal Website, and it should now be visible under Security Token and Add New.

Example 1. Full string value

PointSharpLoginToken,HardwareToken,PointsharpTOTPToken,FidoToken,FidoTpmToken,EntraID,GoogleMobileToken,Certificate

If any of the other options should not be used or visible; just remove them and refresh website.

Delegation of ID Server

The PsAPI Website on the Pointsharp ID Server contains the application CertApi which uses Local System as default Application Pool Identity. This Identity will be the one used for delegation towards the CA Server to enroll certificates.

  1. Open the Active Directory Users & Computers snap-in on the Domain Controller.

  2. Locate the Computer Account for the Pointsharp ID Server.

  3. Right click and choose Properties.

  4. Open the tab Delegation.

  5. Enable Trust this computer for delegation to specified services only, and enable Use any authentication protocol listed beneath.

  6. Click Add and locate the CA Server that will enroll certificates.

  7. Add HOST and RPCSS to use as delegation.

Net iD Client

These Registry Settings makes the Net iD Client able to reset PIN on the Yubikey, and add the certificate for the specified domain.

The client computer accessing the User Portal to enroll certificates must have the Net iD Client installed.

After installation of the Net iD Client – follow these steps:

  1. Edit the NiC-UserPortal.reg file.

  2. Edit the URL value to match your own user portal address:

    "PointsharpUserPortal"="https://idserver.contoso.com/userportal"

  3. Edit the hostname to match your own hostname:

    "70"="https://idserver.contoso.com,full"

  4. Double-click the file to import the file to the Registry.

Preparation and configuration for Certificate Enrollment in User Portal is now completed.