1

I am attempting to create a self signed certificate with PowerShell and protect the private key with a TPM 2.0 module.

I can create a cert backed by the TPM with :

New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -CertStoreLocation "Cert:\LocalMachine\My"

I can cert with P384 with:

New-SelfSignedCertificate -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"

But combining the two fails with "Provider not defined":

New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"

At this point I am unsure if this is a limitation of the MS provider, a limitation of the TPM module I have, or a result of the current configuration Windows 10 and therefore perhaps something I can address.

Can anyone offer any insight as to the root cause and perhaps a resolution?

Thanks

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Tuco
  • 43
  • 6
  • What kind of TPM is it, is it maybe one before version 1.2? Because those only supported RSA if I remember correctly. – Maarten Bodewes Jul 24 '21 at 00:10
  • I believe you're trying to create a cert with an exportable private key using a CSP that does not permit exportable private keys. For example, review the cert created in your first example above (note: you cannot export its private key). Now, compare the cert created in your second example above (note: the private key can be exported). – leeharvey1 Jul 24 '21 at 14:09
  • Good suggestions - Yes using TPM 2.0 - edited the question for clarity. Example #2 was really a syntax sanity to make sure I could create a cert based on P384. Even if I adjust #3 and make it explicitly NonExportable things still fail. Will keep digging. Thanks again for the suggestions. – Tuco Jul 26 '21 at 17:24

0 Answers0