Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
5 Using TCS RSA Keys with OpenSSL
This chapter describes how to use TCS to protect RSA private keys used with OpenSSL
applications. This chapter addresses the following topics:
“Overview” (page 39)
“Configuring an OpenSSL Application to Use TCS Keys” (page 41)
“Step 1: Obtaining a Certificate that Uses a TPM-Protected Private Key ” (page 41)
“Step 2: Determining the TPM OpenSSL Engine File for an Application” (page 44)
“Step 3: Specifying Engine Information for the Application” (page 45)
“Step 4: Distributing the X.509 Certificate” (page 45)
“Stunnel Examples” (page 45)
“Backing Up Keys” (page 53)
Overview
TCS includes an TPM OpenSSL engine that enables an OpenSSL application to use TCS RSA key
pairs in the same way the application would use RSA keys generated by OpenSSL software. A
TCS RSA key pair is an RSA key pair protected by the TPM and created using the tpmcreate
utility. Using TCS to protect RSA keys provides the following benefits:
Hardware-based encrypted storage for RSA private keys
TCS encrypts the RSA private key with the TPM Roaming Key (RK). For added security,
TCS also supports passphrase protection for the private key, but the private key is stored
in encrypted format whether or not passphrase protection is used. This feature is useful
when you want to store RSA private keys for daemons and services without passphrases
so these programs can start without requiring an administrator to enter a passphrase.
The TPM OpenSSL engine also enables applications to use the TPM-protected RSA private
key without exposing it in cleartext. Data that needs to be signed, decrypted, or encrypted
by the private key is loaded into the TPM with the encrypted RSA private key. TCS uses the
procedure described in “Chain of Protection” (page 17) to access the RSA private key and
then signs, decrypts, or encrypts the data using the internal processor of the TPM. The RSA
private key is not exposed in cleartext during these operations.
Platform identity
Because TPM-protected RSA private keys can be decrypted and used only on the platform
with the TPM containing the parent key, the corresponding public key is bound to the specific
server and TPM containing the parent RK. A peer receiving a valid X.509 security certificate
derived from a TCS RSA key pair is assured that the entity using the certificate private key
to establish an OpenSSL session is on the platform with the same TPM used to protect the
private key.
Transparent compatibility for RSA session peers, remote or local, and for Certificate
Authorities (CAs)
The public key of a TCS RSA key pair and the certificate associated with the TCS RSA key
pair are no different than an RSA public key or certificate created without TCS. The public
key and certificate can be used by peer nodes with no changes. You do not need to install
TCS on the peer nodes.
Overview 39