Preparing YubiKey Neo Device

Follow the steps below to prepare the YubiKey Neo device in the Windows PKI environment to use it for two-factor authentication.

1. Download and install the following utilities:
   1. Yubikey Manager
   2. YubiKey PIV Manager
2. Start the YubiKey Manager utility.
3. Click Configure.
   
   The Configure USB Interfaces dialog appears.
4. Set the CCID check box, and click Save.
   
5. Unplug and re-attach YubiKey Neo device, and close the Yubikey Manager utility.
6. Open the YubiKey PIV Manager utility, and click the Certificates button.
   
7. In the Authentication tab, click Generate new key.
   
8. Select the RSA (2048 bits) encryption algorithm. In the Output panel, set the Certificate Signing Request (CSR) radio button.
   

   Supported certificates

   Only certificates signed by a domain with a Certificate Authority are supported.

    
9. Specify the path for the subject of the user in the Active Directory.
   For example, for the user who is in the Organizational unit of the cit.local domain, the path looks like this: /CN=user/OU=OrganizationUnit/DC=cit/DC=local
   
10. Click OK.
    The Save Certificate Signing Request as dialog appears.
11. Enter a file name to save a certificate request, and select the folder where to store the file.
12. Enter PIN for device access.
    
    The private key is generated and saved to the device.
13. Deploy the PKI. For details, see the Microsoft article that describes how to configure the internal certificate authority.
14. In Internet Explorer, open an enterprise Certification Authority page (generally, it looks like https://IP-adress_of_CA/certsrv or https://domain_name_of_certificate_authority/certsrv). When authorization is required, enter the credentials of the user, whom the certificate must be given to.
15. Click the Request a certificate link.
    
16. Click the advanced certificate request link.
    
17. Click the link Submit a certificate request by using a base 64-encoded CMC…
    
18. Open the certificate request file in any text editor (for example, Notepad), and copy its content to the clipboard.
19. Paste information from clipboard to the Saved Request field.
20. In the Certificate Template section, select Smartcard User from the drop-down list, and press the Submit button.
    
21. Select the Base 64 encoded radio button, and then click the Download certificate link to save the certificate in the Base 64 format.
    
22. Open the YubiKey PIV Manager utility application, and then click the Certificates button.
    
23. In the Authentication tab, press the Import from file… button to load the certificate created from file.
    
24. Unplug and re-attach the device to use the YubiKey Neo device with a new certificate.