On 03/14/2013 12:22 PM, Florian Klickermann wrote: > Hi all, and first excuse me to be totally beginner about gnutls .I'm trying > to create certificates with the TPM and connect to a server. > I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1. > I've create the following keys and certificates (pubkey, ca-cert, ca-key, > cert): > > $ tpmtool --generate-rsa --bits 2048 --register --user > tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user > > $ tpmtool --pubkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" > --outfile=pubkey.pem
Up to this point you have a public and private key pair, and the private key is stored in the TPM. > $ certtool --generate-privkey --load-privkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile > ca-key.pem What are you actually trying to do here? That command doesn't make sense. If you want to generate a private key, why do you load the TPM private key? > $ certtool --generate-certificate --outfile cert.pem --load-privkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" > --load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem > --load-ca-privkey ca-key.pem That last command would generate a certificate in cert.pem that corresponds to the TPM key. > For a first test I create a server on the BeagleBoard and connect with the > client to local host and get the following client error: > Server: > $ gnutls-serv --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile > /etc/ssl/certs/ca-key.pem -p 443 That looks like a bug on the server. It wouldn't have started with the options that you issued. A server requires --x509certfile and --x509keyfile, and on those you should set the server's certificate and private key, not that CAs. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
