YubiHSM 2 | Keyfactor Docs

The HSM type described on this page is not officially supported by EJBCA even though it may be successfully integrated with EJBCA. For a list of HSMs supported by the different EJBCA deployment types, see Supported Hardware Security Modules (HSMs).

The YubiHSM, an HSM version of the Yubikey from Yubico, integrates with EJBCA for a range of public key infrastructure (PKI) use cases. For more information, refer to the Yubico guide YubiHSM 2 for EJBCA Deployment Guide [External Link].

You can use multiple YubiHSMs with a single library, accessing them by different Slot IDs.

Create one yubihsm-connector config file per HSM, each config listening on a different TCP port.
Start the yubihsm-connector service, once for each config files, i.e. multiple services running.
Create a yubihsm_pkcs11.conf with two connector statements, e.g.
connector=http://127.0.0.1:12345 # this will become slot 0
connector=http://127.0.0.1:12346 # this will become slot 1
Set YUBIHSM_PKCS11_CONF=/etc/yubihsm_pkcs11.conf so it is available to WildFly
Restart WildFly and configure Crypto Tokens in EJBCA using yubihsm_pkcs11.so and Slot ID 0 and 1.