Installing the YubiHSM 2 Tools and Software

To complete the procedures in this guide, install the YubiHSM 2 tools and software that will be needed for this.

Tip

A generic prompt, $, is used in command line examples in this document. Depending on your command line application, your prompt may be different.

About the YubiHSM Software

The following YubiHSM items of software are used in this guide. They are included as part of the archive file you downloaded.

Installation

Step 1:

Unzip the downloaded archives of the SDK containing the YubiHSM libraries and tools and move the contents to an appropriate location.

Step 2:
  • On your Windows system, run both installers:

    • yubihsm-cngprovider-windows-amd64.msi (YubiHSM Key Storage Provider)
    • yubihsm-connector-windows-amd64.msi (YubiHSM Connector for Windows)
  • On a Debian-based system, run the following command:

    $ dpkg -i ./libykhsmauth1_*.deb ./libyubihsm-usb1_*.deb ./libyubihsm-http1_*.deb ./libyubihsm1_*.deb  ./yubihsm-shell_*.deb

  • On a Redhat-based system, run the following command:

    $ yum install ./yubihsm-shell-*.rpm

Step 3:

(Windows system) Set the ADCS service dependency for the YubiHSM Connector service via an elevated/admin Windows Command Prompt. This prevents an error which occurs if the ADCS services start before the YubiHSM onnector is running.

  1. List the current dependencies with sc qc “certsvc”
> sc qc “certsvc”
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: certsvc
TYPE               : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
LOAD_ORDER_GROUP   :
TAG                : 0
DISPLAY_NAME       : Active Directory Certificate Services
DEPENDENCIES       :
SERVICE_START_NAME : localSystem
  1. Add the YubiHSM Connector dependency to ADCS with the command: sc config "certsvc" depend="yhconsrv"

    > sc config "certsvc" depend="yhconsrv"
    [SC] ChangeServiceConfig SUCCESS
    

    After the command is entered, the dependency can be verified with sc qc “certsvc”

    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: certsvc
    TYPE               : 110  WIN32_OWN_PROCESS (interactive)
    START_TYPE         : 2   AUTO_START
    ERROR_CONTROL      : 1   NORMAL
    BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
    LOAD_ORDER_GROUP   :
    TAG                : 0
    DISPLAY_NAME       : Active Directory Certificate Services
    DEPENDENCIES       : yhconsrv
    SERVICE_START_NAME : localSystem
    

To remove dependencies for ACDS, use the same command for adding dependencies with a blank depend field: sc config "certsvc" depend=""