On Tue, 2018-01-16 at 00:07 +0100, Emmanuel Deloget wrote: > While the number of required changes were quite small (and have no > impact on openvpn), this was quite a journey. I guess some of the > merits should go to RSA, Microsoft and Intel, for their incredible > effort in building comprehensive industry standards that are as > convoluted as they are comprehensive :) (I'm kidding ; I think I > begin to enjoy PKCS#11 and I definitely had some fun while playing > with my TPM2). > > Those who are interested can contact me. I will probably try to > write something about this somewhere (I don't know where yet).
Just a note that there is an easier way of doing this. The engine key patch: https://sourceforge.net/p/openvpn/mailman/message/36147533/ Achieves the same thing somewhat more simply. You use the tpm2 engine: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/ And convert an existing private key into engine format with create_tpm2_key and place it in /etc/openvpn/ where the private key file usually goes. Then all private key signature transactions go via the TPM. James ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
