Replies: 1 comment
-
Generally, the SECP protocol is incompatible with RSA attestation keys stored in a TPM. That's because these keys are signing keys only, however, the issued certificate is sent to the client in a PKCS#7 container that's encrypted with the client's public key. While newer iterations of SCEP provide a mechanism to issue certificates with keys that are not "encryption capable" (like ECDSA, the encryption is then done with the challenge password), I don't know if SCEP servers actually support this and would consider the keyEncipherment flag in the keyUsage extension of the self-signed certificate in the request for RSA keys (RSA is explicitly listed as a key type that's "encryption capable" in the RFC, the keyUsage flags are not mentioned in that section). On the other hand, the EST protocol does support using attestation keys stored in a TPM. The |
Beta Was this translation helpful? Give feedback.
-
Hi,
I have TPM 2.0 device and have attestation key persistent at some handle (for instance ,0x81010002).I am able to generate certificate signing request (CSR) and even able to sign the request manually at attestation server.
Is it possible to perform that operation using the strongswan's scep client (pki --scep) ?
On first glance of documentation it appears that not and that you must have the RSA private key file.
But maybe there is some way to work around this requirement or maybe have it as a new feature?
Thank You and Best Regards!
Beta Was this translation helpful? Give feedback.
All reactions