This guide is intended to help guide systems administrators successfully deploy YubiHSM 2 with YubiHSM Key Storage Provider. The expected outcome is that the Active Directory Certificate Services Certificate Authority (ADCS CA) root key is created securely on the device and that a hardware-based backup copy of key materials has been produced.

This is a guideline for deployment and as such it covers basic topics. Instructions should be modified as required for your specific environment. It is assumed that installation is performed on a single server destined to become a production or lab Certificate Authority root. It is also assumed that you are familiar with the concepts and processes of working with Microsoft ADCS.

Plan a public key infrastructure (PKI) that is appropriate for your organization. For guidance on setting up a PKI, see Microsoft’s TechNet article on Public Key Infrastructure Design Guidance.

We recommend that you install and test the installation and setup of the YubiHSM 2 in a test or lab environment before deploying to production.

Scenario: In a Windows PKI environment, protect the CA root key in hardware.

Benefits: YubiHSM 2 guards the CA root key and protects all signing and verification services using the root key.


Although the screenshots in this guide are specific to Windows Server 2016, Server 2019 is also supported.