Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider
First published on TECHNET on Jun 05, 2014
Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the Key Attestation feature included in Windows Server 2012 R2 and Windows 8.1. So getting on to part 1: Microsoft Platform Crypto Provider. Let's start off with, why should I use this? The answer is, using a Trusted Platform Module to protect private keys provides higher security assurances. It accomplishes this with the following:
Non-Exportability: The certificate template will only allow the Microsoft Platform Crypto Provider to be selected if the "Allow private key to be exported" option is not checked in the request handling tab. Thus, private keys protected by the TPM are not exportable.
Anti-Hammering: When used in conjunction with passwords or PINs a TPM will lock out if a pin or password is entered incorrectly too many times.
Key Isolation: Private keys protected by the TPM are never exposed to the operating system or malware. All private key operations are handled within the TPM.
For more information see the following related article:
TPM Fundamentals - http://technet.microsoft.com/en-us/library/jj889441.aspx
Assumptions
This article assumes the individual has a basic understanding of Microsoft PKI and its components.
Microsoft CA configuration:
Requirements:
*Note: The Microsoft Platform Crypto Provider only requires Windows 8 and Windows Server 2012. However Windows 8.1 and Windows Server 2012 R2 are required for key attestation which will be covered in part 3 of this series. So for the sake of this exercise I will be leveraging Windows 8.1 and Windows Server 2012 R2 for the client and CA server operating systems
- A domain controller running Windows Server 2003 or later
- An enterprise certificate authority running Windows Server 2012 R2
- A desktop or laptop with a TPM, running Windows 8.1
Certificate Template Configuration:
- Open the Certificate Templates Console - certtmpl.msc
- Duplicate the certificate template of your choice. For this exercise we will use the Workstation Authentication template.
- On the Compatibility tab set the Certificate Authority to Windows Server 2012 R2 and Certificate recipient to Windows 8.1/Windows Server 2012 R2.
*Note: Windows 8.1 and Windows Server 2012 R2 are only required for key attestation. We will reuse this template in part 3 for this purpose. If your CA and client are Windows 8 and Windows Server 2012 you can still complete this exercise. If this is the case simply choose Windows 8/Windows Server 2012 in the compatibility settings.
- Click on the General Tab and give the template a name.
- Click on the Cryptography tab
- Change the Provider Category to Key Storage Provider
- Select Requests must use one of the following providers:
- Check the box for Microsoft Platform Crypto Provider. *Note: If this provider is not listed check the request handling tab and make sure the" Allow private key to be exported" option is not checked.
- This step is optional: Click on the Request Handling tab
- Check the option to Renew with the same key *Note: This option ensures the renewed certificate maintains the same assurance levels as that of the original request.
- Click Apply and OK.
- Open the Certificate Authority MMC - cert
- Right click on the Certificate Templates container and select new, certificate template to issue.
- Click on the certificate template you created and click OK.
Issue End Entity Certificate
These next steps require a domain account with local administrator rights.
- Log onto the desktop or laptop Windows 8.1
- Open the local computer certificate store - certlm.msc
- Right click the Personal container and select All Tasks, Request New Certificate
- Click Next on the Before You Begin screen
- Click Next on the Select Certificate Enrollment Policy screen
- Check the box for your new certificate template and click Enroll
- Select Finish
To verify the certificate use the following command
Certutil -csp "Microsoft Platform Crypto Provider" -key
Related Links
TPM Platform Crypto-Provider Toolkit
http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/default.aspx