Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
An OpenSSL certificate request created for a TCS RSA key pair is no different than any other
certificate request. The Certificate Authority (CA) that creates and signs the certificate does
not have to use TCS.
Runtime loading with minimal or no source code changes
The TPM OpenSSL engines are compiled binaries that an application can dynamically load
using the OpenSSL engine interface. An application can determine information about the
engine library, including its name and file location, at runtime instead of being compiled or
linked into the application.
Applications that are enabled to use OpenSSL engines, such as Stunnel, can use TCS RSA
key pairs without source code changes.
If an OpenSSL application is not enabled to use the engine infrastructure, programmers can
make minor source code changes to use it. The TPM OpenSSL engine contains routines that
transparently replace standard OpenSSL functions used to establish RSA-based OpenSSL
sessions. No changes are necessary to an application's session creation logic; only minor
changes to source code are needed to identify, load and initialize the engine.
The tpmcreate Utility
The tpmcreate utility creates a TCS RSA key pair. A TCS RSA key pair is an OpenSSL RSA key
pair with the private key component protected by the TPM. The tpmcreate utility encrypts the
private key using the TCS Roaming Key (RK) and stores the public key in Secure Shell version
2 (SSHv2), Privacy Enhanced Mail (PEM), or Distinguished Encoding Rules (DER) format. The
tpmcreate utility can also add TPM protection to an existing RSA private key.
You can use a TCS RSA key pair to create an OpenSSL security certificate. On systems with
HP-UX Secure Shell (SSH) version A.05.00.029, you can also use these keys for SSH server key
authentication.
The tpmcreate utility is similar to the OpenSSL genrsa utility. The tpmcreate utility generates
an RSA key pair and creates a key blob (opaque object) that contains the RSA private key, protected
by the TPM RK. The key blob also contains the RSA public key. The tpmcreate utility can also
protect, or wrap, an existing RSA private key with the RK.
OpenSSL Engine Infrastructure and TPM OpenSSL Engines
OpenSSL versions 0.9.7 and 0.9.8 include library routines for dynamically loading cryptographic
modules referred to as engines. An engine can be an external or independent library that is not
included with OpenSSL distributions; this enables applications to use cryptographic functions
provided by vendor hardware, such as the TPM. When the TPM OpenSSL engine is used, selected
functions for signing and decrypting data with private keys that are normally performed by
OpenSSL software are performed by the TPM through TSPI library routines.
OpenSSL versions 0.9.7 and 0.9.8 include a built-in engine named dynamic. A standard method
of loading and initializing an external engine is to first load the dynamic engine. The dynamic
engine then dynamically loads and initializes the external engine based on runtime configuration
data. The configuration data typically specifies the location of the dynamic engine library and
an ID for the library; the data can also specify explicit directives to load and initialize the dynamic
engine.
This guide describes two methods for providing configuration data about the TPM engine:
Using configuration keywords in application-specific configuration files. This method is
used by Stunnel, and is described in “Stunnel Examples” (page 45).
Using an OpenSSL config(5) file and directives. This method is used by HP-UX Secure Shell
version A.05.00.029 and later, and is described in Chapter 5 (page 39).
40 Using TCS RSA Keys with OpenSSL