Before using the YubiHSM 2 on Windows, there are two YubiHSM 2 software components to be configured:
The YubiHSM 2 KSP.
The YubiHSM 2 Connector service.
The configuration steps are described in the sections below.
Make a backup of your Windows Registry before you make any changes.
To enable Microsoft Cryptographic API Next Generation (CNG) to access the YubiHSM 2 KSP, the following registry entries must be changed from their default values. The YubiHSM 64-bit KSP subkey and the YubiHSM 32-bit KSP subkey were created during the YubiHSM SDK installation:
The edits to be made produce a result like the one illustrated below:
Figure 3 – Registry settings for the YubiHSM 2 KSP
Step 1: Click Start > Run, type
regedit in the Run dialog box, and click OK.
Step 2: Select the registry subkey for the YubiHSM 64-bit KSP,
Step3: Change the URI to the IP address and port on which the YubiHSM 2 Connector is listening by editing the following registry entry appropriately, for example:
If the Connector is listening on IP address and port 192.168.100.252:12345, for example, the
ConnectorURL value should be changed to ``“ConnectorURL”=http://192.168.100.252:12345`.
Step 4: Enter the ID of the application authentication key (object ID
3 was used as an example in this guide; if you used another object ID be sure to enter that). For our example, because the hexadecimal value of 0x00000003 resolves to “3” in the Windows Registry, change the entry to:
Step 5: The application authentication key password is stored in the registry for the KSP to use when authenticating to the device. Enter the new password that you created:
Step 6: Select the registry subkey for the YubiHSM 32-bit KSP,
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Yubico\YubiHSM. Then repeat steps 3-5 above.
Step 7: To save your changes, exit the Windows Registry.
The YubiHSM Connector service reads the configuration file
yubihsm-connector-config.yaml. Depending on your local setup, for instance if you are running multiple instances of the software on the same host, you may need to edit this configuration file to ensure it is consistent with the Windows Registry, i.e., that the parameters and their values are the same in the configuration file and in the Windows Registry.
On Windows, the
yubihsmconnector.config.yaml file is located at
C:\programdata\yubiHSM\yubihsmconnector.yaml - you will need administrator rights to modify the file.