This is a brief explanation of a problem related to a Yubikey 5 device that contains three personal certificates with private keys. One of the certificates is also installed locally on a Windows 10 machine.
When the Yubikey is plugged into the machine, the public portion of certificates that are not present in the certificate store are copied there, which is not ideal but acceptable. However, the certificate that exists on both the Yubikey and the certificate store loses its private key on the machine, resulting in only the public portion being available on the machine.
This is disruptive and requires a full reinstallation of the certificate on the Windows machine, only for it to be lost again the next time the Yubikey is inserted.
The author is wondering if there is a way to disable automatic certificate discovery, specifically from PIV-enabled smart cards.
Smart cards have become increasingly popular for authentication and encryption purposes. Windows 10 has built-in support for smart cards, which allows users to use their smart cards to log in to their machines or access encrypted data. However, there is a problem related to Yubikey 5 devices that contain personal certificates with private keys. When the Yubikey is plugged into a Windows 10 machine, the public portion of certificates that are not present in the certificate store are copied there. However, the certificate that exists on both the Yubikey and the certificate store loses its private key on the machine, resulting in only the public portion being available on the machine. This is a major problem that disrupts the authentication process and requires a full reinstallation of the certificate on the Windows machine.
In this blog post, we will discuss how to prevent Windows 10 from automatically installing smart card certificates, specifically from PIV-enabled smart cards.
The Problem with PIV-Enabled Smart Cards
PIV (Personal Identity Verification) is a smart card standard that is used by various US Government agencies and contractors. PIV-enabled smart cards provide secure and reliable access to sensitive information and systems. However, when a PIV-enabled smart card is inserted into a Windows 10 machine, the operating system automatically discovers and installs the certificates that are stored on the card. This is done to make it easier for users to access the certificates and use them for authentication or encryption purposes.
The problem with this automatic certificate discovery is that it can cause the private keys of certificates to be lost when the card is unplugged from the machine. This is because Windows 10 automatically copies the public portion of certificates that are not present in the certificate store to the machine. When the card is unplugged, Windows 10 removes the public portion of the certificates, which can result in the loss of the private keys.
This problem is specifically related to PIV-enabled smart cards that contain certificates with private keys. Yubikey 5 devices are an example of such cards.
Disabling Automatic Certificate Discovery
To prevent Windows 10 from automatically discovering and installing smart card certificates, you need to disable the Smart Card Plug and Play service. Here are the steps to do this:
1. Press the Windows key + R to open the Run dialog box.
2. Type “services.msc” and press Enter.
3. Scroll down to the Smart Card service and double-click it.
4. In the Smart Card Properties dialog box, change the Startup type to “Disabled.”
5. Click the Stop button to stop the service.
6. Click Apply and then OK to save the changes.
Once you have disabled the Smart Card service, Windows 10 will no longer automatically discover and install smart card certificates.
Manually Installing Smart Card Certificates
After disabling automatic certificate discovery, you will need to manually install the certificates that you need to use. Here are the steps to do this:
1. Insert your PIV-enabled smart card into the card reader.
2. Open the Certificate Manager by pressing the Windows key + R and typing “certmgr.msc” in the Run dialog box.
3. In the Certificate Manager, expand the Personal folder and select Certificates.
4. Right-click in the right pane and select All Tasks > Import.
5. In the Certificate Import Wizard, click Next.
6. Browse to the location of the certificate file on your smart card and click Next.
7. Enter the password for the certificate and click Next.
8. Choose the certificate store where you want to store the certificate and click Next.
9. Click Finish to complete the import process.
Repeat this process for each certificate that you need to install.
In conclusion, if you are using a PIV-enabled smart card, such as a Yubikey 5, and you are experiencing problems with the loss of private keys when the card is unplugged from a Windows 10 machine, you can prevent this by disabling automatic certificate discovery. This can be done by disabling the Smart Card Plug and Play service in Windows 10. After disabling automatic certificate discovery, you will need to manually install the certificates that you need to use. This can be done using the Certificate Manager in Windows 10.
Yes, you can prevent Windows 10 from automatically installing smart card certificates by following these steps:
- Open the Start menu and search for “certificates.”
- Click on “Manage computer certificates” to open the Certificates snap-in.
- In the left pane, expand “Certificates (Local Computer)” and navigate to “Trusted Root Certification Authorities” > “Certificates.”
- In the right pane, right-click on the certificate that you want to prevent from being installed and select “Properties.”
- In the Properties window, go to the “Private Key” tab.
- Under “Key options,” uncheck the box next to “Allow private key to be exported.”
- Click “OK” to save the changes.
This will prevent the private key of the certificate from being exported or copied to other devices, including smart cards. Note that this may prevent the certificate from being used for certain purposes, such as authentication or encryption, if the private key is required.
To halt and deactivate the Certificate Propagation Service (CertPropSvc) in services.msc, you must take action.