Key Storage Provider

The Key Storage Provider (KSP) for Windows CNG works for general RSA2048, RSA3072, and RSA4096 keys, but has been tested to work well with ADCS as follows:

The following installs the KSP, the Connector Service, and uses it for ADCS with the default Authentication Key (1) and password (password).

During the Install-AdcsCertificationAuthority command, you should see the YubiHSM 2 light flash rapidly as ADCS uses the KSP to generate an RSA 2048 bit key in hardware. Restart-Computer may be needed for ADCS to work properly.

PS1> msiexec /i "yubihsm-connector-windows-amd64.msi" /passive ACCEPT=yes
PS1> msiexec /i "yubihsm-cngprovider-windows-amd64.msi" /passive  ACCEPT=yes
PS1> Install-WindowsFeature AD-Certificate -Verbose
PS1> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa    \
    -CryptoProviderName "RSA#YubiHSM Key Storage Provider"          \
    -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years \
    -ValidityPeriodUnits 5
PS1> Install-AdcsOnlineResponder

If you are using a different Authentication Key, password, or Connector for the KSP, you can specify them as follows (defaults are shown):

PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \
    -name ConnectorURL -Type String -Value
PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \
    -name AuthKeysetPassword -Type String -Value password
PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \
    -name AuthKeysetID -Type DWord -Value 1
Due to design considerations for Key Storage Providers in Windows, the direct USB functionality of libyubihsm (Connector URL yhusb://) is not supported in this version of the YubiHSM KSP.

The default configuration for the connector is: ProgramData\YubiHSM\yubihsm-connector.yaml - Administrator rights are required to access the file.

Additional Documentation for YubiHSM Key Storage Provider