I am new to SSL certs and trying to understanding once the certificate is imported into the Certificate Store (in Windows), how do we associate the private key pair to the certificate? Is that by creating a pfx that would contain the certificate and private key and import that pfx into Certificate Store? We intent to use the TPM to store the private key (but not using it to generate the keypair). Is there a way to specify where the private key is to be stored (ie into the TPM)?
Asked
Active
Viewed 347 times
2
-
@mentallurg I am more interested in finding out how I can specify during install/import of a certificate that the private key is to be stored in the TPM. – lee23 Apr 18 '21 at 23:37
-
Then please change the title and edit the text to make this clear. – mentallurg Apr 19 '21 at 01:20
-
Have clarified my question – lee23 Apr 19 '21 at 04:03
1 Answers
1
Is there a way to specify where the private key is to be stored (ie into the TPM)?
Not from GUI. You have to use command-line tool certutil:
certutil -csp "Microsoft Platform Crypto Provider" -importpfx path\ssl.pfx
Crypt32
- 5,750
- 12
- 24
-
-
would this solution 'just work' for WCF using Certifcate authentication for Windows and Linux? – lee23 Apr 19 '21 at 23:53
-
I tried the suggest solution, but got CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED). Am running the command on Windows 10 with elevated privileged (as administrator) on a self signed certificate – lee23 Apr 20 '21 at 01:16
-
I found that my generated pfx had a provider of "Microsoft Enhanced Cryptographic Provider v1.0" and when I changed that to "Microsoft Software Key Storage Provider" (via the -CSP option for openssl), then the answer @Crypt32 gave worked – lee23 Apr 21 '21 at 00:07