YubiHSM - dogtagpki/pki GitHub Wiki

Installing YubiHSM Tools

To install YubiHSM tools and library:

$ dnf install yubihsm-connector yubihsm-shell

Configuring YubiHSM Connector

The configuration is located at /etc/yubihsm-connector.yaml:

# Certificate (X.509)
#cert: ""
#
# Certificate key
#key: ""
#
# Listening address. Defaults to "127.0.0.1:12345".
#listen: "127.0.0.1:12345"
#
# Device serial in case of multiple devices
#serial: ""
#
# Log to syslog/eventlog. Defaults to "false".
#syslog: "false"

Starting YubiHSM Connector Service

To start the connector:

$ systemctl start yubihsm-connector

To verify:

$ elinks -dump http://127.0.0.1:12345/connector/status

Connecting with YubiHSM Shell

$ yubihsm-shell
yubihsm>

Connecting with OpenSC

To display general token information:

$ pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password --show-info
Cryptoki version 2.40
Manufacturer     Yubico (www.yubico.com)
Library          YubiHSM PKCS#11 Library (ver 2.40)
Using slot 0 with a present token (0x0)

To list slots with tokens:

$ pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password --list-token-slots
Available slots:
Slot 0 (0x0): YubiHSM Connector localhost
  token label        : YubiHSM
  token manufacturer : Yubico (www.yubico.com)
  token model        : YubiHSM
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 2.20
  firmware version   : 2.20
  serial num         : XXXXXXXX
  pin min/max        : 12/68

Creating NSS Database with YubiHSM

Create an NSS database. For example, the following command will create an NSS database without password in $HOME/.dogtag/nssdb:

$ pki nss-create --force

Prepare a password file (e.g. password.conf):

hardware-YubiHSM=0001password

To install YubiHSM module:

$ export YUBIHSM_PKCS11_CONF=$HOME/.dogtag/nssdb/yubihsm_pkcs11.conf
$ echo "connector = http://127.0.0.1:12345" > $YUBIHSM_PKCS11_CONF
$ modutil -dbdir $HOME/.dogtag/nssdb -nocertdb -add yubihsm2 -libfile /usr/lib64/pkcs11/yubihsm_pkcs11.so -force

To verify the module:

$ modutil -dbdir $HOME/.dogtag/nssdb -list
...
  2. yubihsm2
	library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so
	   uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.40
	 slots: 1 slot attached
	status: loaded

	 slot: YubiHSM Connector localhost
	token: YubiHSM
	  uri: pkcs11:token=YubiHSM;manufacturer=Yubico%20(www.yubico.com);serial=XXXXXXXX;model=YubiHSM
...

Generating Key in YubiHSM

To generate a key:

$ pki --token YubiHSM -f password.conf nss-key-create

To verify:

$ pki --token YubiHSM -f password.conf nss-key-find
  Key ID: 0xc12dff6adeaf89e62e6d1cbb45d3af0d406a7fd1
  Type: RSA
  Algorithm: RSA

Creating Certificate Request with Key in YubiHSM

To create a certificate request:

$ pki --token YubiHSM -f password.conf nss-cert-request \
    --key-id 0xc12dff6adeaf89e62e6d1cbb45d3af0d406a7fd1 \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

To verify:

$ openssl req -text -noout -in ca_signing.csr

Issuing Certificate with Key in YubiHSM

$ pki --token YubiHSM -f password.conf nss-cert-issue \
    --csr ca_signing.csr \
    --cert ca_signing.crt

To verify:

$ openssl x509 -text -noout -in ca_signing.crt

Importing Certificate into YubiHSM (Not Working Yet)

$ pki --token YubiHSM -f password.conf nss-cert-import --cert ca_signing.crt YubiHSM:ca_signing

To verify:

$ pki --token YubiHSM -f password.conf nss-cert-find

See Also

⚠️ **GitHub.com Fallback** ⚠️