Skip to main content

Using TPM keys

TPM key PEM and certificate generation

  1. Generate the TPM RSA PEM File:

    • Generate the necessary RSA PEM file for the TPM.

  2. Update the ESTC Client Binary:

    • Navigate to /home/demo/mocana/bin/estc/estc and update the ESTC client binary.

  3. Cleanup Keystore:

    • Remove unnecessary files from the Keystore:

      cd /home/demo/mocana/Keystore
sudo rm -rf certs crls keys req

    • Ensure only the ca and etc folders remain.

  4. Re-run the Key/Certificate Request:

    • Navigate to /home/demo/mocana/setup and execute the script to regenerate the TPM key and certificate:

      ./estc.sh

    • This process connects with the EST server to generate the TPM Key and its corresponding certificate.

TPM RSA key location

  • The RSA key is stored at:

    /home/demo/mocana/Keystore/keys/webapptap.securitydemos.net_enrollrsa2048.pem

Certificate generated location

  • The generated certificate is stored at:

    /home/demo/mocana/Keystore/certs/webapptap.securitydemos.net_enrollmentrsa.der

EVP test using TPM PEM

  1. Build with TAP Enabled:

    • Refer to Makefile.evptest for details:

      cd thirdparty/openssl-1.0.2i/engines/mocana/test

  2. Enable TAP Support:

    • Set the following flag to 1 to enable TAP:

      set SECMOD_ACCEL_DEV=1
SECMOD_ACCEL_DEV ?= 1

  3. Build Command:

    • Use the following command to build:

      make --f Makefile.evptest clean all

Verifying/Testing TPM Key

  1. Run the Verification/Test:

    • Execute the binary to test the TPM Key:

      sudo moc_evp_rsa_dsa_ecdsa_test --p webapptap.securitydemos.net_enrollrsa2048.pem --s

    • Refer to the moc_evp_rsa_dsa_ecdsa_test.c source code for examples of TPM usage.

In this section: