Skip to content

Add TPM 2.0 support for Windows CAPI certificate installations#623

Open
sabixx wants to merge 2 commits intoVenafi:masterfrom
sabixx:feature/tpm-windows-capi
Open

Add TPM 2.0 support for Windows CAPI certificate installations#623
sabixx wants to merge 2 commits intoVenafi:masterfrom
sabixx:feature/tpm-windows-capi

Conversation

@sabixx
Copy link
Contributor

@sabixx sabixx commented Jan 24, 2026

Summary

  • Add TPM 2.0 hardware-backed private key support for Windows CAPI installations
  • Private keys are generated and stored in the TPM chip, making them non-exportable
  • Certificates with TPM-backed keys work with Windows applications (IIS, SQL Server, etc.)

Features

  • New CSR origins: tpm (mandatory) and tpm_optional (fallback to software if TPM unavailable)
  • RSA keys supported (2048 bits guaranteed; larger sizes depend on TPM hardware, with optional legacyKeySize fallback)
  • ECDSA P-256 and P-384 curves supported
  • FriendlyName support for certificate lookup during renewal checks

Configuration Example

certificateTasks:
  - name: TPM Certificate
    request:
      csr: tpm              # or tpm_optional
      keyType: RSA
      keySize: 2048
      subject:
        commonName: server.example.com
      zone: 'vcert\Default'
      tpmConfig:
        legacyKeySize: false  # Set true to auto-fallback to 2048 if TPM doesn't support larger sizes
    installations:
      - format: CAPI
        capiLocation: LocalMachine\My
        capiFriendlyName: "TPM-Protected Certificate"

Constraints

  • Windows only (CAPI installation format required)
  • PKCS12/JKS/PEM installations not supported with TPM (keys cannot be exported)
  • ED25519 not supported by TPM 2.0

Test plan

  • Test csr: tpm with CAPI installation on Windows with TPM 2.0
  • Test csr: tpm_optional fallback on Windows without TPM
  • Test renewal respects renewBefore setting (FriendlyName lookup)
  • Verify error messages for unsupported configurations (PEM, PKCS12, JKS)
  • Test RSA 2048 and ECDSA P-256 key generation

sabixx added 2 commits January 21, 2026 17:30
@sabixx
Add TPM 2.0 support for Windows CAPI certificate installations
92ebbc8 
  - Add new CSR origins: 'tpm' (mandatory) and 'tpm_optional' (fallback to software)
  - Use certtostore library for TPM-backed key generation via Windows CNG
  - Support RSA (2048-bit) and ECDSA (P-256, P-384) keys in TPM
  - Add tpmConfig.legacyKeySize option for automatic RSA key size fallback
  - Set FriendlyName after TPM enrollment to support renewBefore checks
  - Add documentation to README-PLAYBOOK.md and sample.tpm.yaml example
@sabixx
added examples for user cert TPM protected
cc7dfe7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tr1ck3r tr1ck3r Awaiting requested review from tr1ck3r tr1ck3r is a code owner

@rvelaVenafi rvelaVenafi Awaiting requested review from rvelaVenafi rvelaVenafi is a code owner

@marcos-albornoz marcos-albornoz Awaiting requested review from marcos-albornoz marcos-albornoz is a code owner

@luispresuelVenafi luispresuelVenafi Awaiting requested review from luispresuelVenafi luispresuelVenafi is a code owner

@EduardoVV EduardoVV Awaiting requested review from EduardoVV EduardoVV is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sabixx