[openssl-users] Using a TPM to sign CSRs
William Roberts
bill.c.roberts at gmail.com
Wed Jul 25 15:28:22 UTC 2018
On Tue, Jul 24, 2018 at 4:18 AM, Kaarthik Sivakumar
<kaarthik.sk at gmail.com> wrote:
> Hello
>
> I need to create a key pair using a TPM (proprietary) and build a CSR and
What TPM Version?
If it's TPM 2.0, a new Engine project has emerged here:
https://github.com/tpm2-software/tpm2-tss-engine
This might be able to handle to just calling the create CSR routine. I
know back-in-
the-day the OpenSC engine with a PIV card could do it.
You can try to get ahold of the maintainer of that project (Andraes) through
a direct email or the project mailing list:
- https://lists.01.org/mailman/listinfo/tpm2
> sign it using it the TPM as well. Currently I dont have an engine interface
> to talk to the TPM. I do the following:
>
> 1. generate key pair in the TPM. private key is kept private in the TPM and
> public key can be obtained out of the TPM
>
> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
>
> 3. Get the hash of the CSR (X509_REQ_digest())
>
> 4. Pass the digest to the TPM and get back signature
>
> 5. Add signature to the CSR - I dont see any way to do this. Is there an
> openssl API to perform this step? I dont think I can use X509_REQ_sign()
> since that will use the private key provided or if I have an engine
> interface then it will call the engine to do the signing. Is there a way to
> call sign() and make it call my function that can do the step 4 above?
>
> Thanks!
>
>
> -kaarthik-
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
More information about the openssl-users
mailing list