Skip to content

YubiHSM 2

The YubiHSM 2 is a small Hardware Security Module (HSM) that fits into USB port.

YubiHSM 2 preparation

1) Prepare a YubiHSM2 configuration file

The configuration file yubihsm2_pkcs11.conf must be located in the working directory of TeskaLabs SeaCat PKI microservice.

.../yubihsm2_pkcs11.conf:

connector = http://yubihsm:12345

yubihsm is a host that runs YubiHSM2 software. YubiHSM 2 works in a way that the host with USB runs YubiHSM2 server that provides HTTPS API on a port 12345.

2) Configure SeaCat PKI to use YubiHSM 2 token

seacatpki.conf:

[seacatpki:pkcs11:yubihsm2]
path=.../yubihsm_pkcs11.dylib
tokens=YubiHSM,0001password,mytenant
  • path is the location of the YubiHSM2 PKCS11 library (yubihsm_pkcs11.dylib or yubihsm_pkcs11.so).
  • tokens is the configuration of the YubiHSM2 instance:
    • YubiHSM is a token name
    • 0001password is a PIN (change it to your own)
    • mytenant is a tenant that has an to the YubiHSM 2 token

Warning

YubiHSM2 offers a single token named "YubiHSM".

3) Restart SeaCat PKI microservice

Random Number Generator

YubiHSM 2 can be used as random number generator (RNG) in TeskaLabs SeaCat PKI.

secatpki.conf:

[seacatpki:random]
provider=pkcs11:yubihsm2
token_label=YubiHSM

YubiKey

YubiKey token can be also used as a "poor man's" hardware security module (HSM) in TeskaLabs SeaCat PKI.

secatpki.conf:

[seacatpki:pkcs11:yubikey]
path=/usr/local/lib/libykcs11.dylib
tokens=
    YubiKey PIV #xxxxxx,<PIN>,mytenant
session_persistence=false

Danger

session_persistence must be set to false for YubiKey token.