How can I create a "Virtual Smart Card" on my TPM without joining my Windows computer to a Domain?

Question

I want to store a OpenVPN client certificates on our laptops secured by my TPM, so that the certificate can't be stolen/extracted from the laptop even with admin rights.

Microsoft offeres "Virtual Smartcards" that use the TPM. I should be able to access them via PKCS11 from the OpenVPN client.config. There are CAPI to PKCS11 libraries/adapters.

I can create a virtual smart card reader using this command:

tpmvscmgr.exe create /name OpenVPN1 /pin prompt /pinpolicy minlen 4 maxlen 8 /adminkey random /generate

This works. However now I need a way to actually generate a public/private key and certificate signing request, that I can sign on my openssl CA.

However Microsoft in their tutorial wants you to connect the computer to a domain with a domain controller. And create a "certificate template" on the domain controller. I don't want/need this. I am not using the Microsoft CA. I have a separate openssl CA.

Is there a way to create a public/private key pair without joining the laptop to a domain?

Answer 1

So to answer my own question:

I didn't find a way to create a keypair on the smartcard directly. But you can import one. And it will be locked in the Virtual Smartcard from that point on (keys will be neverExtract).

First create the smartcard (reader) as per the question with tpmvscmgr.exe create /name OpenVPN1 /pin prompt /pinpolicy minlen 4 maxlen 8 /adminkey random /generate as Admin.

Now certutil -scinfo will show the virtual reader, but will fail showing the certificate, because there is none yet.

In order to proceed you need a combined pkcs12 file. You can create your client keypair off TPM and sign them as usual by your CA e.g. with openssl. If you have the resulting files as separte .key and .crt you may combine them with OpenSSL using e.g. “C:\Program Files\OpenSSL-Win64\bin\openssl" pkcs12 -export -out client.pfx -inkey client.key -in client.crt Be sure to securely wipe those files off your storage once you have them imported into your Virtual Smartcard.

Then you can import it into the Virtual Smartcard with certutil. Run certutil -csp "Microsoft Base Smart Card Crypto Provider" -importpfx client.pfx Be aware that the order of arguments matters: -importpfx has to be provided last.

Now certutil -scinfo will show the certificate.

PS: OpenVPN for Windows is by default compiled without PKCS11 support. But it works directly with CAPI.

Remove cert client.crt and key client.key and instead provide cryptoapicert "THUMB:371f180ba80234845a93b116ea02e5222dffad1e" in your OpenVPN client.conf. Where 371f180ba80234845a93b116ea02e5222dffad1e should be replaced with the fingerprint of your own client certificate. You find your certificate fingerprint in the output of certutil -scinfo after Cert:.

Unfortunately Microsoft's Virtual Smartcard does not support RSA-PSS yet which is required for TLS 1.3 and used by recent OpenVPN with TLS 1.2 too. OpenVPN currently does not detect that it is not available and fails ( https://community.openvpn.net/openvpn/ticket/1296 ) when trying to use it. If this is still unpatched by either MS or OpenVPN you have to use an older OpenVPN version 2.4.8 as a workaround.