UPDATE 2022-04-13:
I've switched to putty-pkix [6] because I had issues with newer OpenSSH only allowing SHA256 signatures and pagaent not providing valid responses.
agent key RSA SHA256:L1iUIhjfKejEONe0TFU3TaWkNwE2O0xWF/09K7P8WnA returned incorrect signature type
Create a virtual smart card
Ensure the TPM is activated.Run:
tpm.msc
Start a Command Prompt as admin.
Create a Virtual Smart Card [1].
Run:
tpmvscmgr.exe create /name "[hostname] VSC" /pin prompt /adminkey random /generate
Enter PIN:
********
Confirm PIN:
********
Creating TPM Smart Card...
Initializing the Virtual Smart Card component...
Creating the Virtual Smart Card component...
Initializing the Virtual Smart Card Simulator...
Creating the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card Reader...
Creating the Virtual Smart Card Reader...
Waiting for TPM Smart Card Device...
Authenticating to the TPM Smart Card...
Generating filesystem on the TPM Smart Card...
TPM Smart Card created.
Smart Card Reader Device Instance ID = ROOT\SMARTCARDREADER\0000
Generate a signing request and have the request signed to obtain a certificate.
Create a request template in Notepad and save this as TPM-cert-template.inf [2].[NewRequest]
Subject = "CN=[hostname],O=[Organisation],L=[Location],ST=[State],C=[Country]"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80
Then generate a Certificate Request (CSR):
certreq -new -f TPM-cert-template.inf TPM-cert.csr
Send the CSR to your CA and have it signed. You should get a certificate in return.
Install the certificate
Double click the received certificate file (most likely .crt or .cer).Click on the "Install certificate" button and follow the wizard.
When it's done, obtain the fingerprint of the certificate from the Details tab.
Configure OpenVPN to use the cryptoapi and certificate
Edit the OpenVPN profile.Instead of a "cert" and "key" configure "cryptoapicert" with your fingerprint:
cryptoapicert "THUMB:92 50 9d ea 52 f4 95 ee be a1 c0 4f ab f8 a2 2b 4d 91 0c 0a"
Save the profile and connect.
Enable SSH authentication with the Virtual SmartCard
Download and install puttywincrypt [3].Configure putty to use the certificate under Connection -> SSH -> Auth by entering [4]:
cert://*
Update: WinSCP
WinSCP turned out to work with the certificate through pageant when using "SCP" as protocol and checking the checkbox in SSH, Authentication "Attempt authentication using Pageant".
Update: Listing
wmic path win32_PnPEntity where "DeviceID like '%smartcardreader%'" get Caption,DeviceID
Update: Dell XPS 13
After updating my XPS 13's TPM firware to 2.0 I was no longer able to use the TPM certificate for authentication. Trying to revert back to firmware 1.2, that showed to be working before, failed with an error "Invalid source version". Contacting Dell did not help. They answerd my mails for support with links to online content that I had already found or was irrelevant and finally let me know "TPM is not supported by [Dell]. If the problem is not solved I advise you to contact Intel." Thanks to a post I've found on Reddit [5] I was finally able to revert back to version 1.2 and issue a new certificate.
Sources used
[1] https://technet.microsoft.com/en-us/library/dn579260.aspx[2] http://beaukey.blogspot.nl/2014/12/openvpn-using-tpm-to-secure-identities.html
[3] http://sourceforge.net/projects/puttywincrypt/
[4] http://sourceforge.net/p/puttywincrypt/wiki/README/
[5] https://www.reddit.com/r/Dell/comments/56a3wn/cant_downgrade_bios_xps_13_9350/
