Key Storage Provider Reference
The Key Storage Provider (KSP) for Windows Cryptography API: Next Generation (CNG) has been thoroughly tested with Active Directory Certificate Services (AD CS) plus 2048-bit, 3072-bit, and 4096-bit keys. It also works with other types of keys, but those have not been tested to the same extent.
The following installs the KSP and the Connector Service, using them for ADCS with the default Authentication Key (
1) and password (
When you run the
Install-AdcsCertificationAuthority command, you should see the YubiHSM 2 light flash rapidly, because AD CS uses the KSP to generate a 2048-bit key in hardware. For AD CS to work properly,
Restart-Computer may be needed.
PS1> msiexec /i "yubihsm-connector-windows-amd64.msi" /passive ACCEPT=yes PS1> msiexec /i "yubihsm-cngprovider-windows-amd64.msi" /passive ACCEPT=yes PS1> Install-WindowsFeature AD-Certificate -Verbose PS1> Install-AdcsCertificationAuthority -CAType EnterpriseRootCa \ -CryptoProviderName "RSA#YubiHSM Key Storage Provider" \ -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years \ -ValidityPeriodUnits 5 PS1> Install-AdcsOnlineResponder
If you are using a different Authentication Key, password, or Connector for the KSP, you can specify them as follows (defaults are shown):
PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name ConnectorURL -Type String -Value http://127.0.0.1:12345 PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name AuthKeysetPassword -Type String -Value password PS1> Set-ItemProperty -path HKLM:\SOFTWARE\Yubico\YubiHSM \ -name AuthKeysetID -Type DWord -Value 1
Design considerations for Key Storage Providers in Windows prevent the direct USB functionality of libyubihsm (Connector URL
yhusb://), therefore it is not supported in this version of the YubiHSM KSP.
The default configuration for the connector is:
ProgramData\YubiHSM\yubihsm-connector.yaml - Administrator rights are required to access the file.
Additional Documentation for YubiHSM Key Storage Provider
- For instructions on how to move a software-based key into the YubiHSM 2 for use with the KSP, see Move Software Keys to Key Storage Provider.
- For an example of how to create an HSM-backed code signing certificate for Windows through the KSP, see Creating a Code-Signing Certificate using the Key Storage Provider.
- For more information about status codes, see YubiHSM 2 status codes in Windows.
- For details on how to configure the 32-bit and 64-bit KSP DLLs, please see YubiHSM 2 Windows Deployment Guide.