2

I plan to use the TPM to generate CSR's backed by a private key stored on the TPM. The CSR's will then be signed by an external HSM.

Since a certificate is tied to a particular private key, how do you support multiple users on the same laptop on the assumption that each user has a different certificate?

For example, can you have multiple private keys stored on the TPM? Each for a different user?

Dr. Lecter
  • 121
  • 1
  • 1
    I feel like the answer is going to depend a lot on which operating system and application layer you are using to interface with the TPM. For example you may get the user separation from the MS CAPI layer or the Apple Keychain layer, rather than the TPM layer since I'm sure the TPM has no concept of "users". – Mike Ounsworth Mar 12 '21 at 16:55
  • I think you can have different SRKs which can be loaded to the TPM, one per user. Each can wrap (=encrypt) child keys. – MemAllox Mar 22 '21 at 17:40

0 Answers0