Configure the YubiHSM 2 Software on Windows
Before using the YubiHSM 2 on Windows, there are two YubiHSM 2 software components to be configured:
- The YubiHSM 2 KSP.
- The YubiHSM 2 Connector service.
The configuration steps are described in the sections below.
Make a backup of your Windows Registry before you make any changes.
Configure the KSP Settings in the Windows Registry
To enable Microsoft Cryptographic API Next Generation (CNG) to access the YubiHSM 2 KSP, the following registry entries must be changed from their default values. The YubiHSM 64-bit KSP subkey and the YubiHSM 32-bit KSP subkey were created during the YubiHSM SDK installation:
The edits to be made produce a result like the one illustrated below:
Figure - Registry settings for the YubiHSM 2 KSP
Click Start > Run, type
Select the registry subkey for the YubiHSM 64-bit KSP.
Change the URI to the IP address and port on which the YubiHSM 2 Connector is listening by editing the following registry entry appropriately, for example:
If the Connector is listening on IP address and port
Enter the ID of the application authentication key (object ID
The application authentication key password is stored in the registry for the KSP to use when authenticating to the device. Enter the new password that you created:
Select the registry subkey for the
Repeat steps 3-5 above.
To save your changes, exit the Windows Registry.
Configure the YubiHSM 2 Connector Service
The YubiHSM Connector service reads the configuration file
yubihsm-connector-config.yaml. Depending on your local setup, for instance if you are running multiple instances of the software on the same host, you may need to edit this configuration file to ensure it is consistent with the Windows Registry, i.e., that the parameters and their values are the same in the configuration file and in the Windows Registry.
On Windows, the
yubihsmconnector.config.yaml file is located at
C:\programdata\yubiHSM\yubihsmconnector.yaml - you will need administrator rights to modify the file.