hi, i like to import a x509 certificate into an tpm with microsoft tools. either manually, or with domain based enrollement mechanism. till now i am only able to inport a cert by using 3rd party tools like tpm proffesional package from infineon. if there is an microsoft way, please give me an hint. thanks in advance t3

Twenty3, In Windows certificates are bound to keys managed in either CryptoAPI2 or CNG, this means that for you to have a certificate bound to a key in a TPM you need to have either a CNG Provider, a Cryptographic Service Provider (CSP) or Smartcard Minidriver. Windows 7 does not include these, Windows 8 does see: http://www.youtube.com/watch?v=QmTpdZAC4_s There are third-party products that will enable this scenario however they cost money and are typically designed to be used as part of a larger solution (aka this is a small part of an overall solution and not available separately). The exceptions are packages that come with specific TPMs like the Infineon solution you are using. The interfaces necessary to create such providers are public but I would not categorize such an activity as "easy" its definitely on the advanced end of the scale. Also you very likley will not be able t "import" a key, you will be able to generate a new certificate request for a key generated in and managed by the tpm, with this certificte request you will be able to get a certificate from a CA that you can use. I should note that TPMs are very slow cryptograpic processors and using one for the server side of a TLS negotiation has extremely limited value, see this post for some data - http://blog.habets.pp.se/2012/02/TPM-backed-SSL One scenario involving TPMs and server SSL that is particularly valuable is to use it to encrypt the key at rest when it is in use it is still reachable by an attacker if a vulnerability is found in the stack doing the SSL but at rest (the most common place for a key to be attacked) it is pretty secure. Either way this is an interesting scenario and I would encourage you to look at Windows 8 and the Virtual Smartcard to play around with it, I also believe (but am not positive) Windows 8 will include a TPM KSP. Hope this helps you in your search, Ryan Hurst GlobalSign, CTO Ryan M. Hurst

Hi, As I know that Windows 7 dont have an in-build tool to provide the way to do it. You can just follow Ryans suggestion.

Hi Ryan, thank you very much for this detailed answer!