I'm trying to enroll a certificate to a YubiKey that's plugged into a remote machine while I access it through RDP. I'm aware that EOBO means 'Enroll on behalf of', but every tool I've used, like MMC, certutil, and yubico-piv-tool, can't see the YubiKey even though it's connected to the remote machine. It seems like it's related to smart card redirection, and I'm not sure how to work around it. My setup is that I'm connecting from workstation [A] to remote machine [B] with the YubiKey. Has anyone found a way to successfully enroll a new private key onto the 9a smart card remotely?
2 Answers
Yes, you can do this! Just make sure that both your local machine and the remote one have the YubiKey drivers installed. The driver on the server should be set to LEGACY_MODE. Also, ensure that your RDP session has WebAuthn and Smartcard redirection enabled to make it work smoothly.
The issue you're facing is usually due to how RDP handles smart card redirection. While it redirects the card via its smart card channel, some tools like yubico-piv-tool expect direct access, which is why they're not detecting it. But, Windows built-in enrollment tools should work fine if smart card redirection is enabled. Try using the Certificates MMC or certreq instead. If you must use yubico-piv-tool, the workaround is to run it locally on the machine the YubiKey is attached to, or use PowerShell remoting to control that machine during the enrollment.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures