Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
41424344454647484950
“Obtaining a Certificate Using Keys Created with tpmcreate” (page 42) describes this
procedure.
Use an existing RSA key pair and security certificate or create an RSA key pair and security
certificate as you would without TCS, then use tpmcreate to protect the existing RSA
private key with TPM.
This method does not require a specific version of the openssl command and enables you
to use existing key pairs and certificates.
If the existing RSA private key is passphrase protected, you must remove the passphrase
before protecting it with TPM. The private key is exposed in cleartext.
“Wrapping an Existing Certificate Private Key with tpmcreate” (page 43) describes this
procedure.
Obtaining a Certificate Using Keys Created with tpmcreate
To create a TCS RSA key pair using tpmcreate and obtain a certificate, follow these steps:
1. Install OpenSSL version 0.9.8 or later on your system if it is not already installed.
2. Use the tpmcreate utility to create a TCS RSA key pair. In most cases, you can use the
following syntax:
tpmcreate output_file
The output_file contains an RSA key pair with the private key component of the pair
encrypted by the TPM RK. The RSA key pair has the following characteristics:
Public exponent value: 65537 (this is the same as the default RSA public exponent used
by the openssl genpkey and genrsa commands).
Key length: 2048 bits. To specify an alternate key length, use the -k key_size option,
as described in tpmcreate(1).
Passphrase: None. If the key pair is used for a daemon, this enables you to start the
daemon without operator intervention. The private key is encrypted by the TCS Roaming
Key (RK).
To specify a passphrase, use the -a option. The tpmcreate utility attempts to use the
value of the TCS_PASS environment variable for the passphrase. If TCS_PASS is not
set, tpmcreate prompts you for the passphrase.
If you create a key pair with passphrase protection, the TPM engine requires the
passphrase when a process attempts to load the private key or perform cryptographic
functions with the private key. The TPM engine attempts to use the value of the
TCS_PASS environment variable for the passphrase. If TCS_PASS is not set, the engine
issues a prompt to the controlling terminal. If the value of TCS_PASS or the response
to the prompt is incorrect, the engine immediately terminates the process.
You can also specify options to save a copy of the public key to a separate file in SSHv2,
PEM, or DER format. For more information, see tpmcreate(1).
For example:
# tpmcreate myClientKeyblob
3. Use the openssl req command with the TPM engine to create a certificate request using
the TCS RSA key pair. To make openssl use the TPM engine, specify the following options:
-keyform engine -engine tpm
You must specify the full path to the 0.9.8 version of openssl if it is not the default version
for your system.
For example:
42 Using TCS RSA Keys with OpenSSL