Yubico · bkanui · May 3, 2021 · May 11, 2021 · Sep 24, 2023 · Oct 1, 2023
diff --git a/content/Developer_Program/Guides/Securing_Web_Services_with_OTP.adoc b/content/Developer_Program/Guides/Securing_Web_Services_with_OTP.adoc
@@ -10,9 +10,9 @@ All YubiKeys, with the exception of the Security Key by Yubico (SKY) series supp
 Developers looking to add OTP support will need to implement an OTP validation server and client. Yubico offers a free Yubico OTP validation service, the YubiCloud, as well as the server code as open source for those who wish to stand up their own server. In addition, Yubico also offers a number of pre-built Yubico OTP clients. The YubiKey is compliant with any server or software which follows the link:https://openauthentication.org/members/[OATH standard for OATH-HOTP or OATH-TOTP], and can be used out of the box with most solutions.
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
+
 
 
 == Selecting the OTP Type

diff --git a/content/Developer_Program/Guides/Touch_triggered_OTP.adoc b/content/Developer_Program/Guides/Touch_triggered_OTP.adoc
@@ -69,9 +69,8 @@ The Yubico One Time Password scheme was developed by Yubico to take full advanta
 The Yubico OTP, like other OTPs, was designed to be used as a second factor authenticator in addition to username and password, as well as simple to implement for client services and systems. When implementing the Yubico OTP, developers have the option to either utilize the YubiCloud Yubico OTP Online Validation service, or stand up their own servers.
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
 
 
 === Yubico OTP Characteristics

diff --git a/content/OTP/Guides/Migrating_to_python-pyhsm.adoc b/content/OTP/Guides/Migrating_to_python-pyhsm.adoc
@@ -1,9 +1,9 @@
 == Migrating from yubikey-ksm to python-pyshm
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
+
 
 This guide will take you through the steps needed to migrate from using the
 PHP-based yubikey-ksm to using python-pyhsm. Benefits of using python-pyhsm

diff --git a/content/OTP/Guides/Self-hosted_OTP_validation.adoc b/content/OTP/Guides/Self-hosted_OTP_validation.adoc
@@ -1,9 +1,9 @@
 == Setup of a self-hosted Yubico OTP validation server
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
+
 
 This document will guide you through setting up a validation server for
 validating OTPs from YubiKeys. If you're not interested in running your own

diff --git a/content/OTP/OTPs_Explained.adoc b/content/OTP/OTPs_Explained.adoc
@@ -75,9 +75,9 @@ The YubiKey OTP generation is made up of the following fields, encrypted with a
 The private id field comprises 6 bytes copied from the private id field configuration value. This field can be used to store a private identity which can be accessed when the OTP is decrypted in a Yubico OTP validation server holding the AES key used to encrypt the OTP.
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
+
 
 
 The verifying instance should verify this field against the expected value. If an OTP is encrypted with a non-matching AES key, this field will be invalid and the OTP shall in this case be rejected.

diff --git a/content/OTP/Plugins.adoc b/content/OTP/Plugins.adoc
@@ -4,4 +4,3 @@ include::{root}/Software_Projects/Yubico_OTP/Yubico_OTP_Integration_Plug-ins/ind
 If you did not find what you are looking for in the list of available plugins (and in your favorite search engine),
 one option is to develop your own integration plugin. This does not have to be all that hard if you
 leverage an existing link:Libraries/Using_a_library.html[OTP validation library].
-
diff --git a/content/Software_Projects/Yubico_OTP/YubiCloud_Connector_Libraries/index.adoc b/content/Software_Projects/Yubico_OTP/YubiCloud_Connector_Libraries/index.adoc
@@ -1,9 +1,8 @@
 == YubiCloud Connector Libraries
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
 
 These libraries help with connecting to the YubiCloud for Yubico OTP validation from a number of different programming languages. Learn how to use a connector library link:/OTP/Libraries/Using_a_library.html[here].
 

diff --git a/content/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/index.adoc b/content/Software_Projects/Yubico_OTP/YubiCloud_Validation_Servers/index.adoc
@@ -1,9 +1,9 @@
 == YubiCloud Validation Servers
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:https://support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
+
 
 If you don't want to use YubiCloud, you can host one of these validation server(s) yourself.
 

diff --git a/content/Software_Projects/Yubico_OTP/Yubico_OTP_Integration_Plug-ins/index.adoc b/content/Software_Projects/Yubico_OTP/Yubico_OTP_Integration_Plug-ins/index.adoc
@@ -11,6 +11,5 @@ JAAS:: link:/yubico-java-client[yubico-java-client]
 Third party plugins can be discovered on link:https://github.com/search?q=yubico+otp[GitHub] for example.
 
 [Note]
-======
-Yubico has declared end-of-life for the YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
-======
+
+Yubico has declared end-of-life of YubiKey Validation Server (YK-VAL) and YubiKey Key Storage Module (YK-KSM). These have been moved to link://github.com/YubicoLabs/yubikey-ksm[YubicoLabs] as a reference architecture. See article, link:/support.yubico.com/hc/en-us/articles/360021227000[YK-VAL, YK-KSM and YubiHSM 1 End-of-Life].
diff --git a/content/YubiHSM2/Backup_and_Restore/index.adoc b/content/YubiHSM2/Backup_and_Restore/index.adoc
@@ -1,129 +1,9 @@
 == Backup and Restore
 
-=== Introduction
+**This content is deprecated. **
 
-The YubiHSM 2 supports encrypted export and import of objects using a symmetric AES-CCM based scheme.
+For current content see:
 
-The examples below assume the default authentication key (0x0001). If you use some other authentication key make sure that it has the capability `put-wrap-key` and has the correct delegated capabilities,
-otherwise you will get a "wrong permissions for operation" error.
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/index.html[YubiHSM 2 User Guide]
 
-=== Backup Using YubiHSM Shell
-
-Make sure you have a Wrap Key with the Capabilities `export-wrapped`, `import-wrapped` and applicable Delegated Capabilities set:
-
-[source, bash]
-----
-$ yubihsm-shell -a get-pseudo-random --count=32 --out=wrap.key
-...
-$ yubihsm-shell -a put-wrap-key --capabilities export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key
-...
-Stored Wrap key 0xd581
-----
-
-When this Wrap Key is present, any Object in the same Domain and with the Capability `exportable-under-wrap` and Capabilities matching the Wrap Key's Delegated Capabilities can be exported:
-
-[source, bash]
-----
-$ yubihsm-shell -a generate-asymmetric-key -A rsa2048 --capabilities exportable-under-wrap,sign-pkcs,decrypt-pkcs
-...
-Generated Asymmetric key 0x6e77
-$ yubihsm-shell -a get-wrapped --wrap-id=0xd581 --object-id=0x6e77 -t asymmetric-key --out=key_6e77.yhw
-...
-----
-
-You now have an encrypted backup of the Asymmetric Key `0x6e77` in the file key_6e77.yhw. *The file wrap.key here contains the cleartext version of the Wrap Key loaded into your YubiHSM and should be considered sensitive*.
-
-=== Backup Using YubiHSM Setup
-
-The tool `yubihsm-setup` can be used to backup all exportable objects at once:
-
-[source, bash]
-----
-$ yubihsm-setup dump
-Enter the wrapping key ID to use for exporting objects: 0xd581
-...
-Successfully exported object Asymmetric with ID 0x6e77 to ./0x6e77.yhw
-All done
-----
-
-=== Restore Using YubiHSM Shell
-
-Considering a fresh device where you want to restore the previously backed up key `0x6e77`
-
-[source, bash]
-----
-$ yubihsm-shell -a put-wrap-key -A aes256-ccm-wrap -c export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key -i 0xd581
-...
-Stored Wrap key 0xd581
-$ yubihsm-shell -a put-wrapped --wrap-id=0xd581 --in=key_6e77.yhw
-...
-Object imported as 0x6e77 of type asymmetric-key
-----
-
-== Backup and Restore of Keys Managed via YubiHSM Key Storage Provider
-
-ADCS does not set the `NCRYPT_ALLOW_EXPORT_FLAG` when generating a key neither through the setup UI, nor the `Install-ADCSCertificationAuthority` PowerShell module.  When creating an ADCS root CA key via the YubiHSM 2, we add the `exportable-under-wrap` Capability by default, so that backup and restore functionality is available through the following manual process:
-
-=== Identify Your Private Key Container Name
-
-Open an elevated command prompt/shell.
-
-Use the certutil command:
-
-[source, powershell]
-----
-PS1> certutil -store My
-----
-
-to view the currently installed certificates in the Local Machine "My" store.
-
-Find the target certificate in the list.
-
-Find the `Key Container` property of the target certificate. The Provider property should be equal to `YubiHSM Key Storage Provider`.
-
-Record the `Cert Hash` property to identify the certificate.
-
-=== Backup the Target Certificate
-
-Using any available means (certmgr.msc, PowerShell, certutil), export the target certificate, but without the private key in DER format. The YubiHSM does not provide a mechanism for returning the raw private key to Windows, so generating a PKCS#12 container is not currently possible. For example:
-
-[source, powershell]
-----
-PS1> certutil -split -store My <Cert Hash>
-----
-
-will export the certificate in .crt format to a file named `<Cert Hash>.crt`.
-
-=== Backup the Target Private Key
-
-Using the instructions for exporting a private key under wrap via `yubihsm-shell` (see above), export the target private key with the `label` property equal to the `Key Container` property.
-The Authentication Key that performs this operation must have the `export-wrapped` capability set.
-
-=== Restore the Target Private Key
-
-Using the instructions for importing a private key under wrap via `yubihsm-shell` (see above), import the target private key file to your backup YubiHSM. The Authentication Key that performs this operation must have the `import-wrapped` capability set.
-
-The imported key object should have the same Label property as the original object.
-
-=== Restore the Target Certificate
-
-Move the target certificate file generated above to the target machine.
-
-Import the certificate to the LocalMachine "My" store via your favorite method. At this point, the certificate will not have an associated private key.  Use the `-repairstore` functionality of `certutil` to re-associate the certificate to the private key.
-Make sure that the target private key is visible via the YubiHSM KSP, using
-
-[source, powershell]
-----
-PS1> certutil -key -csp "YubiHSM Key Storage Provider"
-----
-
-This command will list all private keys (and their corresponding container names -- which are equal to the Label property in the YubiHSM visible to the current Authentication Key).
-
-Open an elevated prompt and execute the command:
-
-[source, powershell]
-----
-PS1> certutil -repairstore MY <Cert Hash>
-----
-
-Repeat the steps under Identify Your Private Key Container Name to verify that the certificate has been associated with the YubiHSM Key Storage Provider and has the correct `Key Container` property value.
+- link:<https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/hsm2-backup-restore.html[YubiHSM 2: Backup and Restore]
diff --git a/content/YubiHSM2/Commands/Authenticate_Session.adoc b/content/YubiHSM2/Commands/Authenticate_Session.adoc
@@ -1,46 +1,9 @@
 == AUTHENTICATE SESSION
 
-Complete the mutual authentication process started with
-link:Create_Session.adoc[Create Session].
+**This content is deprecated. **
 
-== Description
+For current content see:
 
-Finish the Session negotiation and authenticate the Session to the device.
-After this command completes successfully the Session is authenticated and
-can be used.
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/index.html[YubiHSM 2 User Guide]
 
-== Shell Example
-
-Create a new Session with Authentication Key `1` using the password `password`, this performs
-both the creation and authentication steps:
-
-  yubihsm> session open 1 password
-  Created session 0
-
-== Protocol Details
-
-=== Command
-
-|==================
-|T~c~ = 0x04
-|L~c~ = 17
-|V~c~ = S \|\| B \|\| M
-|==================
-
-S := Session ID (1 byte)
-
-B := Host Cryptogram (8 bytes)
-
-M := CMAC(S-MAC, 0^16^ || T || L~c~ + 8 || S || B) (8 bytes)
-
-This is the first authenticated message in the chain.
-
-The device verifies `M` and `B`, both using `S-MAC`.
-
-=== Response
-
-|===========
-|T~r~ = 0x84
-|L~r~ = 0
-|V~r~ = Ø
-|===========
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#authenticate-session-command[AUTHENTICATE SESSION Command]
diff --git a/content/YubiHSM2/Commands/Blink_Device.adoc b/content/YubiHSM2/Commands/Blink_Device.adoc
@@ -1,33 +1,9 @@
 == BLINK DEVICE
 
-Blink the device.
+**This content is deprecated. **
 
-== Description
+For current content see:
 
-Blink the LED of the device to identify it.
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/index.html[YubiHSM 2 User Guide]
 
-== Shell Example
-
-Blink the device for 15 seconds:
-
-  yubihsm> blink 0 15
-
-== Protocol Details
-
-=== Command
-
-|===========
-|T~c~ = 0x6b
-|L~c~ = 1
-|V~c~ = S
-|===========
-
-S := Seconds to blink for (1 byte)
-
-=== Response
-
-|===========
-|T~r~ = 0xeb
-|L~r~ = 0
-|V~r~ = Ø
-|===========
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#blink-device-command[BLINK DEVICE Command]
diff --git a/content/YubiHSM2/Commands/Change_Authentication_Key.adoc b/content/YubiHSM2/Commands/Change_Authentication_Key.adoc
@@ -1,46 +1,9 @@
 == CHANGE AUTHENTICATION KEY
 
-Change an Authentication Key.
+**This content is deprecated. **
 
-== Description
+For current content see:
 
-Replace the Authentication Key used to establish the current Session. It is not possible to modify any of the metadata connected to the Object such as Domains or Capabilities. Only the payload data of the Object (i.e., the long-lived symmetric keys) will be modified.
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/index.html[YubiHSM 2 User Guide]
 
-The same `PBKDF2` derivation scheme described in link:../Concepts/Session.adoc[Session] is available.
-
-== Shell Example
-
-Change the current Authentication Key deriving it from the password `newpassword`:
-
-  yubihsm> change authkey 0 1 newpassword
-  Changed Authentication key 0x0001
-
-== Protocol Details
-
-=== Command
-
-|=======================
-|T~c~ = 0x6c
-|L~c~ = 2 + 1 + 16 + 16
-|V~c~ = I \|\| A \|\| K~e~ \|\| K~m~
-|=======================
-
-Replace the currently used Authentication Key with a new set of keys.
-
-I := link:../Concepts/Object_ID.adoc[Object ID] of the Authentication Key (2 bytes)
-
-A := link:../Concepts/Algorithms.adoc[Algorithm] (1 byte)
-
-K~e~ := Encryption Key (16 bytes)
-
-K~m~ := Mac Key (16 bytes)
-
-=== Response
-
-|===========
-|T~r~ = 0xec
-|L~r~ = 2
-|V~r~ = I
-|===========
-
-I := link:../Concepts/Object_ID.adoc[Object ID] of the changed Object (2 bytes)
+- link:https://docs.yubico.com/software/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#change-authentication-key-command[CHANGE AUTHENTICATION KEY Command]