Trusted Platform Module (TPM) Support

A Trusted Platform Module (TPM) is a specialized piece of hardware designed to securely store sensitive information such as certificates and perform cryptographic operations. TPMs can be accessed through the CertMgr component. Currently this functionality is only available on Windows. This guide provides simple instructions to use TPM functionality with the CertMgr component.

Overview

To enable TPM support set the KSP configuration setting to "Microsoft Platform Crypto Provider". Optionally set TSPMigrationPassword and CertKeyType as needed for your specific use.

When TPM is enabled, only RSA and ECDSA (ECDSA_P256, ECDSA_P384, ECDSA_P521) algorithms are supported. When creating ECDSA certificates the CertPublicKeyAlgorithm defines the specific ECDSA algorithm used.

TPMMigrationPassword

The TPMMigrationPassword configuration setting can be set before calling the CreateKey, CreateCertificate, and ImportCertificate methods. By default, the value is an empty string. It is important to note that if this configuration setting is set, the private key in TPM can be exported with the correct password later. If this configuration setting is not set, the private key in TPM can never be exported.

CertKeyType

The CertKeyType setting can be used to specify the key type (encryption or digital signature) when calling CreateCertificate or CreateKey. The table below summarizes the supported options depending on the operation and selected algorithm.

Operation Algorithm Supported KeyType Values
CreateCertificate RSA (default)
  • 1 (encryption)
  • 2 (digital signature)
CreateKey RSA (default)
  • 1 (encryption)
  • 2 (digital signature)
CreateCertificate ECDSA (set via CertPublicKeyAlgorithm)
  • 1 (encryption)
  • 2 (digital signature)
CreateKey ECDSA (set via CertPublicKeyAlgorithm)
  • 2 (digital signature)

Code Examples

Below are a few brief code examples demonstrating how to enable and use the TPM functionality in the CertMgr component.

Create Key (RSA)

Use the CertMgr component to generate cryptographic keys securely within the TPM.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); // Create key string RSAKeyName = "ExampleKey"; certmgr.CreateKey(RSAKeyName); // Other operations such as certificate import/export and key deletion can be performed similarly } }

Create Key (ECDSA)

Use the CertMgr component to generate cryptographic keys securely within the TPM.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); // Create key certmgr.Config("CertPublicKeyAlgorithm=ECDSA_P256"); certmgr.Config("CertKeyType=2"); //digital signature string ECDSAKeyName = "ExampleKey"; certmgr.CreateKey(ECDSAKeyName); // Other operations such as certificate import/export and key deletion can be performed similarly } }

Create Certificate (RSA)

Utilize the CertMgr component to create digital certificates to store in the TPM.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); certmgr.CreateCertificate(rsaSubject, 23); } }

Create Certificate (ECDSA)

Utilize the CertMgr component to create digital certificates to store in the TPM.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); certmgr.Config("CertPublicKeyAlgorithm=ECDSA_P256"); certmgr.CreateCertificate(ecdsaSubject, 23); } }

Import Existing Certificate

Utilize the CertMgr component to import existing certificates to the TPM.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); // Import a certificate into the TPM certmgr.ImportCertificate("certificate.pfx", "password", "subject"); } }

Exporting a Certificate

Utilize the CertMgr component to export a certificate from the TPM. Note that the TPMMigrationPassword setting must be set at the time of creation/import in order to be exported later.

using nsoftware.IPWorks; class Program { static void Main(string[] args) { // Initialize CertMgr component Certmgr certmgr = new Certmgr(); // Specify TPM integration parameters certmgr.CertStoreType = CertStoreTypes.cstUser; certmgr.CertStore = "MY"; certmgr.Config("KSP=Microsoft Platform Crypto Provider"); certmgr.Config("TPMMigrationPassword=password"); certmgr.ExportPrivateKey = true; // Select the certificate to export certmgr.Cert = new Certificate(CertStoreTypes.cstUser, "MY", "", rsaSubject); // Export the certificate certmgr.ExportCertificate("certificate.pfx", "password"); } }

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.