[openssl-users] Using a TPM to sign CSRs

Devang Kubavat digant.kubavat at gmail.com
Sat Jul 28 16:13:00 UTC 2018

Hi Kaarhik,

Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is
OpenSSL TPM Engine. It will help to offload all crypto operation to TPM.


On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar <kaarthik.sk at gmail.com>

> Hello
> I need to create a key pair using a TPM (proprietary) and build a CSR and
> sign it using it the TPM as well. Currently I dont have an engine interface
> to talk to the TPM. I do the following:
> 1. generate key pair in the TPM. private key is kept private in the TPM
> and public key can be obtained out of the TPM
> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
> 3. Get the hash of the CSR (X509_REQ_digest())
> 4. Pass the digest to the TPM and get back signature
> 5. Add signature to the CSR - I dont see any way to do this. Is there an
> openssl API to perform this step? I dont think I can use X509_REQ_sign()
> since that will use the private key provided or if I have an engine
> interface then it will call the engine to do the signing. Is there a way to
> call sign() and make it call my function that can do the step 4 above?
> Thanks!
> -kaarthik-
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180728/1a28d0a8/attachment.html>

More information about the openssl-users mailing list