PKI Proxy - Sharing Certificates from a YubiKey HSM

Requirements: PKI Proxy

Introduction

PKI Proxy is a secure key server which enables remote code and document signing using centrally stored keys. This allows you to use keys from an HSM, such as a YubiKey, on another system. The private key never leaves your server, and PKI Proxy employs SSL/TLS to secure all communications.

PKI Proxy works by configuring a private key in the PKI Proxy application and defining user access. From the client machine where the signing will take place, requests can be made to PKI Proxy using the included PKCS#11 driver, by configuring the Windows Key Storage Provider (KSP), by utilizing the included command line tools, or by making requests directly via the Web API.

Sharing a Certificate

The first step in using a certificate remotely is to install PKI Proxy on the system where the HSM is located and configure the certificate for sharing. You can read more about the basic process in the Server Configuration section of the Getting Started with PKI Proxy article.

To share a certificate from a YubiKey HSM, you would use the "Security Key (PKCS#11)" option when selecting a key. For YubiKey, the library would be the libykcs11.dll included with the Yubico PIV Tool. Select the correct Security Key device, enter the PIN, and click "Open" to load the list of keys, then select the one you want to use and click OK. You would then follow the standard directions for configuring a user and sharing access.

Accessing the Certificate

PKI Proxy provides multiple options for accessing the certificate from the client side. One option is the PKI Proxy KSP, which allows you to add the key to the Windows Certificate Store as if it were a certificate on the local system. We also offer a PKI Proxy PKCS#11 DLL, which functions as a standard PKCS#11 library. In both cases you would follow the standard client setup instructions, regardless of the original source of the key.