TPM
David Woodhouse
dwmw2 at infradead.org
Wed Nov 30 11:41:48 EST 2011
On Wed, 2011-11-30 at 16:31 +0000, Tony Beets wrote:
> I was wondering if someone has some documentation / pointers on how to
> setup openconnect with certificates stores on the TPM chip.
You want the openssl_tpm_engine:
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/openssl_tpm_engine;a=log;h=HEAD
See its README file:
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/openssl_tpm_engine;a=blob;f=README;h=b0a18bd7387aef5283214116ed20ef715e32d64c;hb=HEAD
It comes with tools which create a key and/or load a key into the TPM.
I've used it in a mode where the key isn't actually stored in the TPM;
it's stored in an encrypted form and the TPM decrypts it.
You end up with a .pem file starting '-----BEGIN TSS KEY BLOB-----'
which openconnect should automatically recognise and use the TPM engine
for (assuming the TPM engine is installed correctly so that OpenSSL can
find it).
--
dwmw2
More information about the openconnect-devel
mailing list