5

I have a requirement to secure AD machine based certificates(.cert,.pem,.key files) using TPM chip in Ubuntu operating system.

The requirements are as follows:

The certificates that are downloaded from AD to a specific directory needs to be encrypted or protected from user access.

1) Download certificates to Ubuntu machine from Active Directory (Using bridging tools such as centrify)

2) Sign the certificate using a private key and store the private key on the TPM chip (libtpm engine-openssl if available)

3) Configure WiFi/VPN with the signed certificate and key to establish connection

Need some insight in this topic. I am able to perform first step without any issues. The challenge starts from 2nd step in using TPM in Ubuntu machine.

No libengine-tpm-openssl package is available currently in ubuntu repository. And openssl while trying to use libtpm engine gives error

**139927887963808:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libtpm.so): /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libtpm.so: cannot open shared object file: No such file or directory
139927887963808:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139927887963808:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
139927887963808:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=tpm
139927887963808:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libtpm.so): libtpm.so: cannot open shared object file: No such file or directory
139927887963808:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139927887963808:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:**

Also, even if I am able to complete the second step to store the keys in TPM. Is it possible to make wpa_supplicant/openconnect vpn client to be able to read the key in order to have successful connection established?

LogicIO
  • 627
  • 7
  • 15
  • 2
    [openssl-tpm-engine](https://sourceforge.net/p/trousers/openssl_tpm_engine/ci/master/tree/) seems [abandonded and broken](https://mta.openssl.org/pipermail/openssl-users/2015-March/000679.html). Perhaps you could use [this recipe](https://wiki.archlinux.org/index.php/Trusted_Platform_Module) – user3159253 May 16 '16 at 14:20
  • You might want to look into the openssl engine [tpm2-tss-engine](https://github.com/tpm2-software/tpm2-tss-engine)? – MemAllox Jan 15 '21 at 22:47

0 Answers0