Ubuntu

Secure certificates using TPM in ubuntu

Asked by Vineeth

I have a requirement to secure AD machine based certificates(.cert,.pem,.key files) using TPM chip in Ubuntu operating system.

The requirements are as follows:

The certificates that are downloaded from AD to a specific directory needs to be encrypted or protected from user access.

1) Download certificates to Ubuntu machine from Active Directory (Using bridging tools such as centrify)
2) Sign the certificate using a private key and store the private key on the TPM chip (libtpm engine-openssl if available)
3) Configure WiFi/VPN with the signed certificate and key to establish connection

Need some insight in this topic. I am able to perform first step without any issues. The challenge starts from 2nd step in using TPM in Ubuntu machine.

No libengine-tpm-openssl package is available currently in ubuntu repository. And openssl while trying to use libtpm engine gives error

-------
139927887963808:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libtpm.so): /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libtpm.so: cannot open shared object file: No such file or directory
139927887963808:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139927887963808:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
139927887963808:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=tpm
139927887963808:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libtpm.so): libtpm.so: cannot open shared object file: No such file or directory
139927887963808:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139927887963808:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
---------

Also, even if I am able to complete the second step to store the keys in TPM. Is it possible to make wpa_supplicant/openconnect vpn client to be able to read the key in order to have successful connection established?

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.