This guide covers only basic setup and use of the YubiHSM 2 with ADCS. Some alternative scenarios include migrating an existing CA root key to YubiHSM 2, or leveraging the YubiHSM 2 and YubiHSM Key Storage Provider in larger PKI installations using multiple hosts to serve the CA including Subordinate CAs. Since conditions can vary a great deal between organizations on these topics, the following contains some references that might be useful when deploying YubiHSM 2 under such circumstances.
Migrating an Existing CA Root Key to YubiHSM 2
One potential circumstance when deploying YubiHSM 2 to secure ADCS is the fact that a CA root key already exists, either in software or secured by hardware such as another Hardware Security Module. It is normally possible to migrate the CA root key over to the YubiHSM 2, however depending on the pre-existing setup, the steps to take may vary. For more information, see the information on the Yubico developers’ website at Move Software Keys to Key Storage Provider.
In order to improve security and scalability of your Certification Authority, consider installing the Root CA on a standalone (offline) server, and use a Subordinate CA for all certificate signing. For additional information about implementing advanced configurations, see the relevant Microsoft documentation on the subject (such as AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment).
Alternative Backup and Restore Procedures
In more advanced installations, such as when the YubiHSM Setup program was not used to set up YubiHSM 2 for ADCS, or when moving the YubiHSM 2 device containing the root CA key from one instance of ADCS to another, see the information on the Yubico developers’ website at Backup and Restore.