Installing the YubiHSM 2 Tools and Software

To complete the procedures in this guide, install the YubiHSM 2 tools and software that will be needed for this.

Tip

A generic prompt, $, is used in command line examples in this document. Depending on your command line application, your prompt may be different.

About the YubiHSM Software

The following YubiHSM pieces of software are used in this guide. They are included as part of the archive file you downloaded.

Installation

Step 1:

Unzip the downloaded archives of the SDK containing the YubiHSM libraries and tools and move the contents to an appropriate location.

Step 2:

On your Windows system, run both installers:

• yubihsm-cngprovider-windows-amd64.msi (YubiHSM Key Storage Provider)
• yubihsm-connector-windows-amd64.msi (YubiHSM Connector for Windows)

Step 3:

Set the ADCS service dependency for the YubiHSM Connector service via an elevated/admin Windows Command Prompt. This prevents an error which occurs if the ADCS services starts before the YubiHSM connector is running.

1. List the current dependencies with sc qc “certsvc”

   > sc qc “certsvc”
   [SC] QueryServiceConfig SUCCESS
   
   SERVICE_NAME: certsvc
   TYPE               : 110  WIN32_OWN_PROCESS (interactive)
   START_TYPE         : 2   AUTO_START
   ERROR_CONTROL      : 1   NORMAL
   BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
   LOAD_ORDER_GROUP   :
   TAG                : 0
   DISPLAY_NAME       : Active Directory Certificate Services
   DEPENDENCIES       :
   SERVICE_START_NAME : localSystem
   

2. Add the YubiHSM connector dependency to ADCS with the command: sc config "certsvc" depend="yhconsrv"

   > sc config "certsvc" depend="yhconsrv"
   [SC] ChangeServiceConfig SUCCESS
   

   After the command is entered, the dependency can be verified with sc qc “certsvc”

   [SC] QueryServiceConfig SUCCESS
   
   SERVICE_NAME: certsvc
   TYPE               : 110  WIN32_OWN_PROCESS (interactive)
   START_TYPE         : 2   AUTO_START
   ERROR_CONTROL      : 1   NORMAL
   BINARY_PATH_NAME   : C:\Windows\system32\certsrv.exe
   LOAD_ORDER_GROUP   :
   TAG                : 0
   DISPLAY_NAME       : Active Directory Certificate Services
   DEPENDENCIES       : yhconsrv
   SERVICE_START_NAME : localSystem
   

To remove dependencies for ACDS, use the same command for adding dependencies with a blank depend field: sc config "certsvc" depend=""