Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).

Since Windows 8, it has been possible for private keys for certificates to be protected with a - if available - Trusted Platform Module (TPM). This ensures that the key is truly non-exportable.

The process for setting up a certificate template that uses a Trusted Platform module is described below.

The configuration of your certificate template described below to use the Microsoft Platform Crypto Provider is merely a default setting for the requesting client. The certification authority cannot guarantee that the applicant is actually using a trusted platform module. To achieve this level of security, the additional TPM Key Attestation be used.

Private key must not be configured as exportable

In the Request Handling tab, make sure that the Allow private key to be exported option is not enabled. The Microsoft Platform Crypto Provider does not support key export. If the option is enabled, certificate requests will fail (see the article "Requesting a Trusted Platform Module (TPM) protected certificate fails with error message "The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)"„).

Configuring the Key Storage Provider

In most cases, when you open the Cryptography tab, you will find that the Microsoft Platform Crypto Provider - is not available despite correct configuration of the compatibility settings of the certificate template. This is due to the fact that only key storage providers that are available and usable on the current system are displayed.

If the computer running the Certificate Template Management Console does not have a Trusted Platform module, it is not possible to select the corresponding KSP.

There are several ways around this problem:

Editing the pKIDefaultCSPs Attribute Using Windows PowerShell

The list of Key Storage Providers is stored in the LDAP object of the certificate template in the attribute pKDefaultCSPs. There it can be changed with Windows PowerShell (ActiveDirectory module).

The current value can be displayed with the following command:

Get-ADObject "CN=ADCSLaborUserTPM,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de" -Properties pKIDefaultCSPs

If the attribute is not displayed, this may be because it is empty by default, i.e. not defined.

The following two commands can be used to change the content of the attribute. The "Microsoft Platform Crypto Provider" must be configured:

$CSPs=@("1,Microsoft Platform Crypto Provider")
Set-ADObject "CN=ADCSLaborUserTPM,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de" -Replace @{pKIDefaultCSPs=$CSPs}

To check, you can ensure the change by querying the value again.

Please note that the pKIDefaultCSPs attribute can be overwritten by the certificate template management console. Therefore, after each change to the certificate template, it is necessary to check whether the attribute is set correctly again.

Editing the pKIDefaultCSPs attribute using ADSI Editor

The change is analogously also possible via the ADSI editor. The information can be found in the "Configuration" partition of the overall structure.

No certificates are requested if no TPM is present

No Certificate Enrollment is made on systems that do not have a Trusted Platform module. If these systems are also to be served with certificates, a software key storage provider can also be stored as a second entry.

See article "Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."„.

Related links:

External sources