Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
41424344454647484950
# /opt/openssl/0.9.8/bin/openssl req -new -keyform engine -engine tpm \
-key myClientKeyblob -md5 -out myClient_csr.pem -outform PEM
engine "tpm" set.
You are about to be asked to enter information that will be incoporated
into your certificate request.
:
:
NOTE: Some applications, such as Stunnel, recommend that you to create the certificate
with the common name (CN) attribute of the distinguished name (DN) set to the host's
fully-qualified domain name (FQDN).
The contents of the certificate request are the same as they would be for a request created
without using TCS.
4. Submit the certificate request to the CA and have the CA create and sign the certificate as
you would without TCS.
Wrapping an Existing Certificate Private Key with tpmcreate
To protect, or wrap, an existing certificate private key with TPM, use the -w option with the
tpmcreate utility. This enables you to add TPM security to an existing certificate. You can also
use this procedure to create a certificate with a TPM-protected private key if you do not have
OpenSSL version 0.9.8 installed.
To wrap an existing certificate private key with TPM, follow these steps:
1. Locate the RSA key pair used to create the certificate.
If you do not have an existing key pair and certificate, you can use the openssl genrsa
command to generate an RSA key pair. For example, the following command generates an
RSA key pair with a 2048-byte private key:
# openssl genrsa -out myServerkey.pem 2048
You can also generate an RSA key pair and a certificate request using the openssl req
command and omitting the -key specification.
2. Create or locate a certificate using the key pair.
For example, the following command creates a certificate request for the myServerkey.pem
key pair:
# openssl req -new -key myServerkey.pem -md5 -out myServer_csr.pem -outform PEM
Submit the certificate request to the CA and have the CA create and sign the certificate as
needed.
3. If the RSA key pair is passphrase protected, use openssl rsa command to the remove the
passphrase before protecting the private key with TPM. For example:
# openssl rsa -in mypriv.pem -out mypriv2.pem
Step 1: Obtaining a Certificate that Uses a TPM-Protected Private Key 43