Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider

Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the Key Attestation feature included in Windows Server 2012 R2 and Windows 8.1. So getting on to part 1: Microsoft Platform Crypto Provider. Let's start off with, why should I use this? The answer is, using a Trusted Platform Module to protect private keys provides higher security assurances. It accomplishes this with the following:

Non-Exportability: The certificate template will only allow the Microsoft Platform Crypto Provider to be selected if the "Allow private key to be exported" option is not checked in the request handling tab. Thus, private keys protected by the TPM are not exportable.

Anti-Hammering: When used in conjunction with passwords or PINs a TPM will lock out if a pin or password is entered incorrectly too many times.

Key Isolation: Privatekeys protected by the TPM are never exposed to the operating system or malware. All private key operations are handled within the TPM.

For more information see the following related article:

TPM Fundamentals - https://technet.microsoft.com/en-us/library/jj889441.aspx

Assumptions

This article assumes the individual has a basic understanding of Microsoft PKI and its components.

 

Microsoft CA configuration:

Requirements:

*Note: The Microsoft Platform Crypto Provider only requires Windows 8 and Windows Server 2012. However Windows 8.1 and Windows Server 2012 R2 are required for key attestation which will be covered in part 3 of this series. So for the sake of this exercise I will be leveraging Windows 8.1 and Windows Server 2012 R2 for the client and CA server operating systems

  • A domain controller running Windows Server 2003 or later
  • An enterprise certificate authority running Windows Server 2012 R2
  • A desktop or laptop with a TPM, running Windows 8.1

Certificate Template Configuration:

  • Open the Certificate Templates Console - certtmpl.msc

  • Duplicate the certificate template of your choice. For this exercise we will use the Workstation Authentication template.

  • On the Compatibility tab set the Certificate Authority to Windows Server 2012 R2 and Certificate recipient to Windows 8.1/Windows Server 2012 R2.

    *Note: Windows 8.1 and Windows Server 2012 R2 are only required for key attestation. We will reuse this template in part 3 for this purpose. If your CA and client are Windows 8 and Windows Server 2012 you can still complete this exercise. If this is the case simply choose Windows 8/Windows Server 2012 in the compatibility settings.

  • Click on the General Tab and give the template a name.

  • Click on the Cryptography tab

  • Change the Provider Category to Key Storage Provider

  • Select Requests must use one of the following providers:

  • Check the box for Microsoft Platform Crypto Provider. *Note: If this provider is not listed check the request handling tab and make sure the" Allow private key to be exported" option is not checked.

  • This step is optional: Click on the Request Handling tab

  • Check the option to Renew with the same key *Note: This option ensures the renewed certificate maintains the same assurance levels as that of the original request.

  • Click Apply and OK.

  • Open the Certificate Authority MMC - cert

  • Right click on the Certificate Templates container and select new, certificate template to issue.

  • Click on the certificate template you created and click OK.

Issue End Entity Certificate

These next steps require a domain account with local administrator rights.

  • Log onto the desktop or laptop Windows 8.1
  • Open the local computer certificate store - certlm.msc
  • Right click the Personal container and select All Tasks, Request New Certificate
  • Click Next on the Before You Begin screen
  • Click Next on the Select Certificate Enrollment Policy screen
  • Check the box for your new certificate template and click Enroll
  • Select Finish

To verify the certificate use the following command

Certutil -csp "Microsoft Platform Crypto Provider" -key

Related Links

 

TPM Platform Crypto-Provider Toolkit
https://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/default.aspx

Comments

  • Anonymous
    January 01, 2003
    @MikeH I am not aware of any PowerShell Cmdlets that can directly manage certificate templates. A list of the available ADCS Cmdlets can be found here:http://technet.microsoft.com/en-us/library/hh848365.aspx
  • Anonymous
    January 01, 2003
    Do Mac's have TPM's? I have looked at a few and I have never seen one that includes one. According to Wikipedia Mac's have not shipped with TPM's since 2006 source:http://en.wikipedia.org/wiki/Trusted_Platform_Module
  • Anonymous
    June 05, 2014
    Sorry I don't get it. Why click, check, not checked, select, certutil and so on? Isn't this doable with Powershell?
  • Anonymous
    August 14, 2014
    Does anyone know of a Virtual host that will allow this to work on a Mac? Parallels 9.x doesn't virtualize the TPM. Virtualbox perhaps?

  • Anonymous
    September 08, 2014
    Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates. The
  • Anonymous
    April 30, 2015
    Von der Sicherheit privater Schlüssel – oder verstecken Sie den Haustürschlüssel immer noch unter der