[openssl-users] Using a TPM to sign CSRs

William Roberts bill.c.roberts at gmail.com
Wed Jul 25 15:28:22 UTC 2018

On Tue, Jul 24, 2018 at 4:18 AM, Kaarthik Sivakumar
<kaarthik.sk at gmail.com> wrote:
> Hello
> I need to create a key pair using a TPM (proprietary) and build a CSR and

What TPM Version?

If it's TPM 2.0, a new Engine project has emerged here:

This might be able to handle to just calling the create CSR routine. I
know back-in-
the-day the OpenSC engine with a PIV card could do it.

You can try to get  ahold of the maintainer of that project (Andraes) through
a direct email or the project mailing list:
  - https://lists.01.org/mailman/listinfo/tpm2

> sign it using it the TPM as well. Currently I dont have an engine interface
> to talk to the TPM. I do the following:
> 1. generate key pair in the TPM. private key is kept private in the TPM and
> public key can be obtained out of the TPM
> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
> 3. Get the hash of the CSR (X509_REQ_digest())
> 4. Pass the digest to the TPM and get back signature
> 5. Add signature to the CSR - I dont see any way to do this. Is there an
> openssl API to perform this step? I dont think I can use X509_REQ_sign()
> since that will use the private key provided or if I have an engine
> interface then it will call the engine to do the signing. Is there a way to
> call sign() and make it call my function that can do the step 4 above?
> Thanks!
> -kaarthik-
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list