This guide is intended to help guide systems administrators successfully deploy YubiHSM 2 with YubiHSM Key Storage Provider. The expected outcome is that the Active Directory Certificate Services Certificate Authority (ADCS CA) root key is created securely on the device and that a hardware-based backup copy of key materials has been produced.
This is a guideline for deployment and as such it covers basic topics. Instructions should be modified as required for your specific environment. It is assumed that installation is performed on a single server destined to become a production or lab Certificate Authority root. It is also assumed that you are familiar with the concepts and processes of working with Microsoft ADCS.
Plan a public key infrastructure (PKI) that is appropriate for your organization. For guidance on setting up a PKI, see Microsoft’s TechNet article on Public Key Infrastructure Design Guidance.
We recommend that you install and test the installation and setup of the YubiHSM 2 in a test or lab environment before deploying to production.
Scenario: In a Windows PKI environment, protect the CA root key in hardware.
Benefits: YubiHSM 2 guards the CA root key and protects all signing and verification services using the root key.
Note
|
Although the screenshots in this guide are specific to Windows Server 2016, Server 2019 is also supported. |