Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the Key Attestation feature included in Windows Server 2012 R2 and Windows 8.1. So getting on to part 1: Microsoft Platform Crypto Provider. Let's start off with, why should I use this? The answer is, using a Trusted Platform Module to protect private keys provides higher security assurances. It accomplishes this with the following:
Non-Exportability: The certificate template will only allow the Microsoft Platform Crypto Provider to be selected if the "Allow private key to be exported" option is not checked in the request handling tab. Thus, private keys protected by the TPM are not exportable.
Anti-Hammering: When used in conjunction with passwords or PINs a TPM will lock out if a pin or password is entered incorrectly too many times.
Key Isolation: Private keys protected by the TPM are never exposed to the operating system or malware. All private key operations are handled within the TPM.
For more information see the following related article:
TPM Fundamentals - http://technet.microsoft.com/en-us/library/jj889441.aspx
This article assumes the individual has a basic understanding of Microsoft PKI and its components.
Microsoft CA configuration:
*Note: The Microsoft Platform Crypto Provider only requires Windows 8 and Windows Server 2012. However Windows 8.1 and Windows Server 2012 R2 are required for key attestation which will be covered in part 3 of this series. So for the sake of this exercise I will be leveraging Windows 8.1 and Windows Server 2012 R2 for the client and CA server operating systems
Certificate Template Configuration:
Issue End Entity Certificate
These next steps require a domain account with local administrator rights.
To verify the certificate use the following command
Certutil -csp "Microsoft Platform Crypto Provider" -key
TPM Platform Crypto-Provider Toolkit http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/default.aspx
Sorry I don't get it. Why click, check, not checked, select, certutil and so on? Isn't this doable with Powershell?
@MikeH I am not aware of any PowerShell Cmdlets that can directly manage certificate templates. A list of the available ADCS Cmdlets can be found here:
Does anyone know of a Virtual host that will allow this to work on a Mac? Parallels 9.x doesn't virtualize the TPM. Virtualbox perhaps?
Do Mac's have TPM's? I have looked at a few and I have never seen one that includes one. According to Wikipedia Mac's have not shipped with TPM's since 2006 source: