YubiHSM 2¶
The YubiHSM 2 is a small Hardware Security Module (HSM) that fits into USB port.
YubiHSM 2 preparation¶
1) Prepare a YubiHSM2 configuration file
The configuration file yubihsm2_pkcs11.conf
must be located in the working directory of TeskaLabs SeaCat PKI microservice.
.../yubihsm2_pkcs11.conf
:
connector = http://yubihsm:12345
yubihsm
is a host that runs YubiHSM2 software.
YubiHSM 2 works in a way that the host with USB runs YubiHSM2 server that provides HTTPS API on a port 12345.
2) Configure SeaCat PKI to use YubiHSM 2 token
seacatpki.conf
:
[seacatpki:pkcs11:yubihsm2]
path=.../yubihsm_pkcs11.dylib
tokens=YubiHSM,0001password,mytenant
path
is the location of the YubiHSM2 PKCS11 library (yubihsm_pkcs11.dylib
oryubihsm_pkcs11.so
).tokens
is the configuration of the YubiHSM2 instance:- YubiHSM is a token name
0001password
is a PIN (change it to your own)mytenant
is a tenant that has an to the YubiHSM 2 token
Warning
YubiHSM2 offers a single token named "YubiHSM".
3) Restart SeaCat PKI microservice
Random Number Generator¶
YubiHSM 2 can be used as random number generator (RNG) in TeskaLabs SeaCat PKI.
secatpki.conf
:
[seacatpki:random]
provider=pkcs11:yubihsm2
token_label=YubiHSM
YubiKey¶
YubiKey token can be also used as a "poor man's" hardware security module (HSM) in TeskaLabs SeaCat PKI.
secatpki.conf
:
[seacatpki:pkcs11:yubikey]
path=/usr/local/lib/libykcs11.dylib
tokens=
YubiKey PIV #xxxxxx,<PIN>,mytenant
session_persistence=false
Danger
session_persistence
must be set to false
for YubiKey token.