Installing the YubiHSM 2 Tools and Software

To complete the procedures in this guide, install the YubiHSM 2 tools and software that will be needed for this.

Tip

A generic prompt, $, is used in command line examples in this document. Depending on your command line application, your prompt may be different.

About the YubiHSM Software

The following YubiHSM items of software are used in this guide. They are included as part of the archive file you downloaded.

Installation

1. Unzip the downloaded archives of the SDK containing the YubiHSM libraries and tools and move the contents to an appropriate location.

2. Complete the step for your operating system.

   • On your Windows system, run both installers:

     • yubihsm-cngprovider-windows-amd64.msi (YubiHSM Key Storage Provider)
     • yubihsm-connector-windows-amd64.msi (YubiHSM Connector for Windows)

   • On a Debian-based system, run the following command:

     $ dpkg -i ./libykhsmauth1_*.deb ./libyubihsm-usb1_*.deb ./libyubihsm-http1_*.deb ./libyubihsm1_*.deb  ./yubihsm-shell_*.deb

   • On a Redhat-based system, run the following command:

     $ yum install ./yubihsm-shell-*.rpm

3. (Windows system) Set the ADCS service dependency for the YubiHSM Connector service via an elevated/admin Windows Command Prompt. This prevents an error which occurs if the ADCS services start before the YubiHSM connector is running.

   1. List the current dependencies with sc qc “certsvc”

   > sc qc “certsvc”
   [SC] QueryServiceConfig SUCCESS
   
   SERVICE_NAME: certsvc
   TYPE               : 110  WIN32_OWN_PROCESS (interactive)
   START_TYPE         : 2   AUTO_START
   ERROR_CONTROL      : 1   NORMAL
   BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
   LOAD_ORDER_GROUP   :
   TAG                : 0
   DISPLAY_NAME       : Active Directory Certificate Services
   DEPENDENCIES       :
   SERVICE_START_NAME : localSystem
   

   2. Add the YubiHSM Connector dependency to ADCS with the command: sc config "certsvc" depend="yhconsrv"

      > sc config "certsvc" depend="yhconsrv"
      [SC] ChangeServiceConfig SUCCESS
      

      After the command is entered, the dependency can be verified with sc qc “certsvc”

      [SC] QueryServiceConfig SUCCESS
      
      SERVICE_NAME: certsvc
      TYPE               : 110  WIN32_OWN_PROCESS (interactive)
      START_TYPE         : 2   AUTO_START
      ERROR_CONTROL      : 1   NORMAL
      BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
      LOAD_ORDER_GROUP   :
      TAG                : 0
      DISPLAY_NAME       : Active Directory Certificate Services
      DEPENDENCIES       : yhconsrv
      SERVICE_START_NAME : localSystem
      

      To remove dependencies for ACDS, use the same command for adding dependencies with a blank depend field: sc config "certsvc" depend=""