SSH access via PIV smart card using CAPI

CAPI, provided by Microsoft, allows for various application encryption methods. All functions are included in the operating system, so there is no need to install separate modules such as PKCS#11. The functions it performs include providing cryptographic algorithms, providing hardware components such as smart cards, and providing direct communication with the user in the case of electronic signatures using the user's private key. Among these, you can use a smart card's certificate to connect to a remote SSH server.

The following is a guide on how to connect to a remote SSH server with a Yubikey smart card certificate.

Generate and export a certificate from Yubikey

Generate a certificate

  1. Run Yubikey Manager

  2. Select Applications -> PIV -> Certificates.

  3. Click Generate under Authentication.


    Select Self-signed certificate.

     

    Select ‘RSA2048’ or ‘RSA1024’ as the algorithm. As of November 20, 2023, ECCP256 is not supported by Xshell.


    Enter a name for the certificate.


    Set an expiration date for the certificate.


    After confirming that the specified information is correct, generate the certificate.


    Enter the required key values based on the settings information of the smart card.


    Select Export to create a file to register the certificate generated above in the user certificates.

     

Certificate Registration

  1. Execute the certificate created in the above certificate generation process by double-clicking, and then click ‘Install Certificate…’.

     

  2. In the Certificate Import Wizard, select 'Current User'.

     

  3. Select ‘Place all certificates in the following store’ and ensure that the certificate store is ‘Personal’.

     

     

  4. Run Manager User Certificates(certmgr) to confirm that the certificate is properly installed.

Create and run CAPI sessions in Xshell

  1. After opening the properties of the session file, select ‘Authentication → CAPI → Setup’ to open the Setup CAPI dialog.

     

  2. Click the More (…) button to open the ‘Windows Security’ dialog and select the certificate. If the certificate is not selected, click ‘More choices’ to select the certificate.

     

  3. When you select the certificate, the CAPI key string and the certificate’s public key string will be displayed as shown below. The token pin number is the smart card’s pin number and can be saved here or entered manually during connection. Copy the string in the red box below. Then, register it on the server you want to connect to.
    Please refer to Public Key User Authentication. for public key registration.

     

  4. Save the session file and run it.

  5. Enter the PIN number for your smart card. If you saved the pin number in the corresponding session file of Xshell, this window will not appear.

     

  6. You can then confirm that you have successfully connected to the server through the PIV card and CAPI certificate.