Tom Sawyer wrote: > I am trying to generate my own cert on the client side using the keys > generated by the TPM. > And I want to use the resulting Client.Cert to be send during the > client hello (SSL exchange). The server would be verify it and do > what ever. > > But the key blocker for me @ this point is to how to use openssl to > generate CSR using TPM hosted on tpm.
I successfully avoid openssl_tpm_engine by using gnutls built with TPM (libtspi) support. cert.cfg: #v+ country = ... locality = "..." organization = "..." cn = "..." signing_key #v- Then: certtool --generate-request --load-privkey "$k" --load-pubkey "$k" \ --outfile req.csr --template cert.cfg Where k can be either something like: k="tpmkey:uuid=00000000-0000-0000-0000-000000000667;storage=system" if using Persistent Storage. Not a best option in my opinion. or: k="tpmkey:file=sign.blob.der" if using blobs produced by Tspi_EncodeDER_TssBlob. Further reading: http://nmav.gnutls.org/2012/08/using-trusted-platform-module-to.html http://www.gnutls.org/manual/html_node/Trusted-Platform-Module.html My use case is different than yours though, so YMMV. -- kjk ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
