The Key Storage Provider (KSP) for Windows CNG works for general RSA2048, RSA3072, and RSA4096 keys, but has been tested to work well with ADCS as follows:
The following installs the KSP, the Connector Service, and uses it for ADCS
with the default Authentication Key (1
) and password (password
).
During the Install-AdcsCertificationAuthority
command, you should see the
YubiHSM 2 light flash rapidly as ADCS uses the KSP to generate an RSA 2048 bit
key in hardware.
Restart-Computer
may be needed for ADCS to work properly.
PS1> msiexec /i "yubihsm-connector-windows-amd64.msi" /passive ACCEPT=yes PS1> msiexec /i "yubihsm-cngprovider-windows-amd64.msi" /passive ACCEPT=yes PS1> Install-WindowsFeature AD-Certificate -Verbose PS1> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa \ -CryptoProviderName "RSA#YubiHSM Key Storage Provider" \ -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years \ -ValidityPeriodUnits 5 PS1> Install-AdcsOnlineResponder
If you are using a different Authentication Key, password, or Connector for the KSP, you can specify them as follows (defaults are shown):
PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name ConnectorURL -Type String -Value http://127.0.0.1:12345 PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name AuthKeysetPassword -Type String -Value password PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name AuthKeysetID -Type DWord -Value 1
Warning
|
Due to design considerations for Key Storage Providers in Windows, the direct USB functionality of libyubihsm (Connector URL yhusb:// ) is not supported in this version of the YubiHSM KSP. |
The default configuration for the connector is:
ProgramData\YubiHSM\yubihsm-connector.yaml
- Administrator rights are required to access the file.
For instructions on how to move a software-based key into the YubiHSM 2 for use with the Key Storage Provider, please see Move Software Keys to Key Storage Provider.
For an example of how to create an HSM backed code signing certificate for Windows through the KSP, please see Creating a Code-Signing Certificate using the Key Storage Provider.
More information about YubiHSM 2 status codes in Windows.
For details on how to configure the 32-bit and 64-bit KSP DLLs, please see YubiHSM 2 Windows Deployment Guide