Tom Sawyer
2016-02-10 22:51:37 UTC
Hi all,
I am trying to generate my own cert on the client side using the keys
generated by the TPM.
And I want to use the resulting Client.Cert to be send during the client
hello (SSL exchange). The server would be verify it and do what ever.
But the key blocker for me @ this point is to how to use openssl to
generate CSR using TPM hosted on tpm.
I bumped into the trousers-openssl package which seems to be the right
thing to use but it's not packaged with standard distros (ubuntu/debian),
makes me think it is outdated !!
git clone git://git.code.sf.net/p/trousers/openssl_tpm_engine
trousers-openssl_tpm_engine
Also, the trousers-openssl seems to be generating only PKCSV15 type files.
where as SSL exchange needs a X509 type certificate.
- why did the tpm-engine for openssl choose to do PKCS#15?
The current openssl on my host PC is 1.0.2d where as openssl_tpm_engine was
written for open 0.9.8. Any suggestions on how to plow though this?
Thanks
Tom
I am trying to generate my own cert on the client side using the keys
generated by the TPM.
And I want to use the resulting Client.Cert to be send during the client
hello (SSL exchange). The server would be verify it and do what ever.
But the key blocker for me @ this point is to how to use openssl to
generate CSR using TPM hosted on tpm.
I bumped into the trousers-openssl package which seems to be the right
thing to use but it's not packaged with standard distros (ubuntu/debian),
makes me think it is outdated !!
git clone git://git.code.sf.net/p/trousers/openssl_tpm_engine
trousers-openssl_tpm_engine
Also, the trousers-openssl seems to be generating only PKCSV15 type files.
where as SSL exchange needs a X509 type certificate.
- why did the tpm-engine for openssl choose to do PKCS#15?
The current openssl on my host PC is 1.0.2d where as openssl_tpm_engine was
written for open 0.9.8. Any suggestions on how to plow though this?
Thanks
Tom