TPM and OpenVPN, an Eternal Golden Braid


This post explains how to use the Trusted Platform Module (TPM) for OpenVPN using free or licensed TPM crypto libraries and further all standard Windows and OpenVPN components. Free VPN with professional best-in-class identity protection!


A Virtual Private Network (VPN) is used to connect to the corporate or home network. It does two things. First it  authenticates the identity of the person or computer that is trying to connect and once there is trust in that user, the connection is secured to prevent eavesdropping of the information that is sent back and forth.

Well known VPN equipment companies are Cisco and Juniper. 'Well known' also means expensive in equipment and client licenses. On the other hand you get a broad support for authentication methods and security features.
OpenVPN is an Open Source VPN server and client based on OpenSSL cryptographic libraries and functions. OpenVPN supports Microsoft Certificate Store certificates ('cryptoapicert'). Usually the PKI application do not know nor care where the Private Keys are stored. The actual path to the Private Key is handled by the TPM Cryptographic Service Provider (CSP):

Now a user can authenticate to an OpenVPN server with a Digital Certificate where the Private Key is protected by the TPM. To enhance security, the user must provide a PIN (or password) before the authentication is done. Using a single certificate provides multifactor authentication: the user must have a Digital Certificate and know the PIN (or password):

Lenovo-Client Security Solution (free)
Sony-Infineon Securit Platform (free)
Wave EMBASSY Security Center (licensed)

By using a computer certificate and the OpenVPN service, a computer is always connected to the corporate intranet even when a user is not logged on! The TPM is protecting the computer identity with its cryptographic hardware. It is impossible to steal the identity and (mis-)use  the stolen credential on a roque computer.

UPDATE: easy method to create a certificate
The TPM software need to generate cryptographic keys ans send the public key to a certificate server. On Windows clients the steps are:
  1. Create a Certificate Signing Request based on a configuration file
  2. Send the CSR to the certificate server and create a certificate
  3. Install the certificate in the Windows Certificate Store
  4. Configure OpenVPN client to use the Windows Certificate Store
Step 1:
Create an INF file like this on the PC:

Replace "{here the name of the CSP}" depending on the installed TPM software:

Lenovo CSS: "Thinkvantage Client Security Solution CSP"
Infineon Security Platform: "Infineon TPM Cryptographic Provider"
Wave: "Wave TCG enabled CSP"

Subject = ",CN=My User Name,OU=PKI department,O=Europe PKI,S
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "{here the name of the CSP}"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

KeySpec = 1 

Step 2: Create the CSR:
From the folder where the INF file is stored issue the next command:

C:\Temp\> certreq -new -f MyCertCSR.csr

Step 3:
Copy the CSR file to the Certificate Server and create a certificate. Store the certificate file on the local computer

Step 4:
Configure OpenVPN client to use your TPM certificate:

Check the certificate thumb:

C:\Temp> certutil -dump MyCertificate.crt | find /i "Cert Hash(sha1)"

Copy the Thumb from the result and apply them in the OVPN file

Add/edit the next items in your OVPN file:

# Also place the Root CA cert in the OpenVPN config folder...
ca         ca.crt 
#  Use the certificate thumb to link the certificate to the OpenVPN configuration...
cryptoapicert "THUMB:22 96 83 97 4d cb 47 a2 81 a4 7b 6c e3 e4 aa c9 83 4f 89 41"

Note: these configurations have been tested on Vista, Windows 8, 8.1 and 10 (x86 and x64).

Happy VPNing!

Real Time Web Analytics