Skip to content

YubiHSM

Endi S. Dewata edited this page Sep 28, 2023 · 11 revisions

Installation

$ dnf install yubihsm-connector yubihsm-shell

YubiHSM Connector Configuration

The configuration is located at /etc/yubihsm-connector.yaml:

# Certificate (X.509)
#cert: ""
#
# Certificate key
#key: ""
#
# Listening address. Defaults to "127.0.0.1:12345".
#listen: "127.0.0.1:12345"
#
# Device serial in case of multiple devices
#serial: ""
#
# Log to syslog/eventlog. Defaults to "false".
#syslog: "false"

Starting YubiHSM Connector Service

$ systemctl start yubihsm-connector

Accessing YubiHSM

$ yubihsm-shell
yubihsm>

Installing YubiHSM Module in NSS Database

Prepare an NSS database. For example, the following command will create an NSS database in $HOME/.dogtag/nssdb:

$ pki nss-create --force

To install YubiHSM module:

$ export YUBIHSM_PKCS11_CONF=$HOME/.dogtag/nssdb/yubihsm_pkcs11.conf
$ echo "connector = http://127.0.0.1:12345" > $YUBIHSM_PKCS11_CONF
$ modutil -dbdir $HOME/.dogtag/nssdb -nocertdb -add yubihsm2 -libfile /usr/lib64/pkcs11/yubihsm_pkcs11.so -force

To verify the module:

$ modutil -dbdir $HOME/.dogtag/nssdb -list
...
  2. yubihsm2
	library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so
	   uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.40
	 slots: 1 slot attached
	status: loaded

	 slot: YubiHSM Connector localhost
	token:
	  uri: pkcs11:
...

See Also

Clone this wiki locally