Trusted Platform Module (TPM) Support
A Trusted Platform Module (TPM) is a specialized piece of hardware designed to securely store sensitive information such as certificates and perform cryptographic operations. TPMs can be accessed through the CertMgr component. Currently this functionality is only available on Windows. This guide provides simple instructions to use TPM functionality with the CertMgr component.
Overview
To enable TPM support set the KSP configuration setting to "Microsoft Platform Crypto Provider". Optionally set TSPMigrationPassword and CertKeyType as needed for your specific use.
When TPM is enabled, only RSA and ECDSA (ECDSA_P256, ECDSA_P384, ECDSA_P521) algorithms are supported. When creating ECDSA certificates the CertPublicKeyAlgorithm defines the specific ECDSA algorithm used.
TPMMigrationPassword
The TPMMigrationPassword configuration setting can be set before calling the CreateKey, CreateCertificate, and ImportCertificate methods. By default, the value is an empty string. It is important to note that if this configuration setting is set, the private key in TPM can be exported with the correct password later. If this configuration setting is not set, the private key in TPM can never be exported.
CertKeyType
The CertKeyType setting can be used to specify the key type (encryption or digital signature) when calling CreateCertificate or CreateKey. The table below summarizes the supported options depending on the operation and selected algorithm.
| Operation | Algorithm | Supported KeyType Values |
|---|---|---|
| CreateCertificate | RSA (default) |
|
| CreateKey | RSA (default) |
|
| CreateCertificate | ECDSA (set via CertPublicKeyAlgorithm) |
|
| CreateKey | ECDSA (set via CertPublicKeyAlgorithm) |
|
Code Examples
Below are a few brief code examples demonstrating how to enable and use the TPM functionality in the CertMgr component.
Create Key (RSA)
Use the CertMgr component to generate cryptographic keys securely within the TPM.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
// Create key
string RSAKeyName = "ExampleKey";
certmgr.CreateKey(RSAKeyName);
// Other operations such as certificate import/export and key deletion can be performed similarly
}
}
Create Key (ECDSA)
Use the CertMgr component to generate cryptographic keys securely within the TPM.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
// Create key
certmgr.Config("CertPublicKeyAlgorithm=ECDSA_P256");
certmgr.Config("CertKeyType=2"); //digital signature
string ECDSAKeyName = "ExampleKey";
certmgr.CreateKey(ECDSAKeyName);
// Other operations such as certificate import/export and key deletion can be performed similarly
}
}
Create Certificate (RSA)
Utilize the CertMgr component to create digital certificates to store in the TPM.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
certmgr.CreateCertificate(rsaSubject, 23);
}
}
Create Certificate (ECDSA)
Utilize the CertMgr component to create digital certificates to store in the TPM.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
certmgr.Config("CertPublicKeyAlgorithm=ECDSA_P256");
certmgr.CreateCertificate(ecdsaSubject, 23);
}
}
Import Existing Certificate
Utilize the CertMgr component to import existing certificates to the TPM.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
// Import a certificate into the TPM
certmgr.ImportCertificate("certificate.pfx", "password", "subject");
}
}
Exporting a Certificate
Utilize the CertMgr component to export a certificate from the TPM. Note that the TPMMigrationPassword setting must be set at the time of creation/import in order to be exported later.
using nsoftware.IPWorks;
class Program
{
static void Main(string[] args)
{
// Initialize CertMgr component
Certmgr certmgr = new Certmgr();
// Specify TPM integration parameters
certmgr.CertStoreType = CertStoreTypes.cstUser;
certmgr.CertStore = "MY";
certmgr.Config("KSP=Microsoft Platform Crypto Provider");
certmgr.Config("TPMMigrationPassword=password");
certmgr.ExportPrivateKey = true;
// Select the certificate to export
certmgr.Cert = new Certificate(CertStoreTypes.cstUser, "MY", "", rsaSubject);
// Export the certificate
certmgr.ExportCertificate("certificate.pfx", "password");
}
}
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.