Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
41424344454647484950
The specific TPM OpenSSL engine file required for an application is determined by the to the
OpenSSL version and the compiler data model used, as described in “Step 2: Determining the
TPM OpenSSL Engine File for an Application” (page 44).
For more information about OpenSSL engines, see engine(3).
Requirements
To use TCS RSA key pairs with OpenSSL applications, an environment must meet the following
requirements:
An application using a certificate with an TCS RSA key pair to identify itself must use
OpenSSL version 0.9.7 or 0.9.8 or later. There are no OpenSSL version requirements for the
peer receiving a certificate that uses a TPM-protected key.
You must use OpenSSL version 0.9.8 or later of the openssl req command to create a
certificate request with a TCS RSA key pair. If you use TCS to protect the private key of an
existing certificate, there are no OpenSSL version requirements.
Applications must use RSA keys. TCS does not support the Digital Signature Algorithm
(DSA) for RSA key pairs.
OpenSSL private keys protected by TCS must be 512, 1024, or 2048 bytes.
There are no requirements for the CA. An OpenSSL certificate request created for a TCS OpenSSL
private key is no different than any other certificate request. The CA that creates and signs the
certificate does not use TCS.
Configuring an OpenSSL Application to Use TCS Keys
The general procedure to configure OpenSSL applications to use TCS keys is as follows:
1. Obtain a security certificate that uses a TPM-protected RSA private key. There are two
methods to do this:
Create a TCS RSA key pair, then create a new certificate using the key pair.
Add TPM protection to a RSA private key used with an existing X.509 certificate.
These methods are described in “Step 1: Obtaining a Certificate that Uses a TPM-Protected
Private Key ” (page 41).
2. Determine the appropriate TPM OpenSSL engine library for your application. This step is
described in “Step 2: Determining the TPM OpenSSL Engine File for an Application”
(page 44).
3. Specify TPM engine information for the application. This step is described in “Step 2:
Determining the TPM OpenSSL Engine File for an Application” (page 44).
4. Distribute and install the local node's X.509 certificate on peer nodes as required by the
application. This step is described in “Step 4: Distributing the X.509 Certificate” (page 45).
Step 1: Obtaining a Certificate that Uses a TPM-Protected Private Key
There are two methods to obtain a certificate that uses a TPM-protected private key:
Use the tpmcreate utility to create a TCS RSA key pair, then use the openssl utility with
the TPM OpenSSL engine to create a certificate request. Have the CA sign the certificate as
you would without TCS.
This method requires you to use the OpenSSL version 0.9.8 or later of the openssl req
command. There is no version requirement for the CA.
The advantage of this method is that the RSA private key is generated by the TPM processor
and encrypted by the TPM RK before leaving the TPM. The RSA private key never exists
outside the TPM in unencrypted form.
Configuring an OpenSSL Application to Use TCS Keys 41