Saturday, December 19, 2015

TPM authentication in OpenVPN and PuTTY SSH

With my new laptop I wanted to ensure my private keys would be safe. This is a brief summary of the steps I've taken to use a private key in my laptop's TPM to authenticate with OpenVPN and SSH.

Create a virtual smart card

Ensure the TPM is activated.

Start a Command Prompt as admin.
Create a Virtual Smart Card [1].
tpmvscmgr.exe create /name "[hostname] VSC" /pin prompt /adminkey random /generate

Enter PIN:
Confirm PIN:
Creating TPM Smart Card...
Initializing the Virtual Smart Card component...
Creating the Virtual Smart Card component...
Initializing the Virtual Smart Card Simulator...
Creating the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card Reader...
Creating the Virtual Smart Card Reader...
Waiting for TPM Smart Card Device...
Authenticating to the TPM Smart Card...
Generating filesystem on the TPM Smart Card...
TPM Smart Card created.
Smart Card Reader Device Instance ID = ROOT\SMARTCARDREADER\0000

Generate a signing request and have the request signed to obtain a certificate.

Create a request template in Notepad and save this as TPM-cert-template.inf [2].
Subject = "CN=[hostname],O=[Organisation],L=[Location],ST=[State],C=[Country]"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

Then generate a Certificate Request (CSR):
certreq -new -f TPM-cert-template.inf TPM-cert.csr

Send the CSR to your CA and have it signed. You should get a certificate in return.

Install the certificate

Double click the received certificate file (most likely .crt or .cer).
Click on the "Install certificate" button and follow the wizard.

When it's done, obtain the fingerprint of the certificate from the Details tab.

Configure OpenVPN to use the cryptoapi and certificate

Edit the OpenVPN profile.
Instead of a "cert" and "key" configure "cryptoapicert" with your fingerprint:
cryptoapicert "THUMB:92 50 9d ea 52 f4 95 ee be a1 c0 4f ab f8 a2 2b 4d 91 0c 0a"

Save the profile and connect.

Enable SSH authentication with the Virtual SmartCard

Download and install puttywincrypt [3].
Configure putty to use the certificate under Connection -> SSH -> Auth by entering [4]:

Update: WinSCP

WinSCP turned out to work with the certificate through pageant when using "SCP" as protocol and checking the checkbox in SSH, Authentication "Attempt authentication using Pageant".

Update: Listing
wmic path win32_PnPEntity where "DeviceID like '%smartcardreader%'" get Caption,DeviceID

Sources used