TPM and OpenVPN, an Eternal Golden Braid


This post explains how to use the Trusted Platform Module (TPM) for OpenVPN using free or licensed TPM crypto libraries and further all standard Windows and OpenVPN components. Free VPN with professional best-in-class identity protection!


A Virtual Private Network (VPN) is used to connect to the corporate or home network. It does two things. First it  authenticates the identity of the person or computer that is trying to connect and once there is trust in that user, the connection is secured to prevent eavesdropping of the information that is sent back and forth.

Well known VPN equipment companies are Cisco and Juniper. 'Well known' also means expensive in equipment and client licenses. On the other hand you get a broad support for authentication methods and security features.
OpenVPN is an Open Source VPN server and client based on OpenSSL cryptographic libraries and functions. OpenVPN supports Microsoft Certificate Store certificates ('cryptoapicert'). Usually the PKI application do not know nor care where the Private Keys are stored. The actual path to the Private Key is handled by the TPM Cryptographic Service Provider (CSP):

Now a user can authenticate to an OpenVPN server with a Digital Certificate where the Private Key is protected by the TPM. To enhance security, the user must provide a PIN (or password) before the authentication is done. Using a single certificate provides multifactor authentication: the user must have a Digital Certificate and know the PIN (or password):

Lenovo-Client Security Solution (free)
Sony-Infineon Securit Platform (free)
Wave EMBASSY Security Center (licensed)

By using a computer certificate and the OpenVPN service, a computer is always connected to the corporate intranet even when a user is not logged on! The TPM is protecting the computer identity with its cryptographic hardware. It is impossible to steal the identity and (mis-)use  the stolen credential on a roque computer.

UPDATE: easy method to create a certificate
The TPM software need to generate cryptographic keys ans send the public key to a certificate server. On Windows clients the steps are:
  1. Create a Certificate Signing Request based on a configuration file
  2. Send the CSR to the certificate server and create a certificate
  3. Install the certificate in the Windows Certificate Store
  4. Configure OpenVPN client to use the Windows Certificate Store
Step 1:
Create an INF file like this on the PC:

Replace "{here the name of the CSP}" depending on the installed TPM software:

Lenovo CSS: "Thinkvantage Client Security Solution CSP"
Infineon Security Platform: "Infineon TPM Cryptographic Provider"
Wave: "Wave TCG enabled CSP"

Subject = ",CN=My User Name,OU=PKI department,O=Europe PKI,S
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "{here the name of the CSP}"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80

KeySpec = 1 

Step 2: Create the CSR:
From the folder where the INF file is stored issue the next command:

C:\Temp\> certreq -new -f MyCertCSR.csr

Step 3:
Copy the CSR file to the Certificate Server and create a certificate. Store the certificate file on the local computer

Step 4:
Configure OpenVPN client to use your TPM certificate:

Check the certificate thumb:

C:\Temp> certutil -dump MyCertificate.crt | find /i "Cert Hash(sha1)"

Copy the Thumb from the result and apply them in the OVPN file

Add/edit the next items in your OVPN file:

# Also place the Root CA cert in the OpenVPN config folder...
ca         ca.crt 
#  Use the certificate thumb to link the certificate to the OpenVPN configuration...
cryptoapicert "THUMB:22 96 83 97 4d cb 47 a2 81 a4 7b 6c e3 e4 aa c9 83 4f 89 41"

Note: these configurations have been tested on Vista, Windows 8, 8.1 and 10 (x86 and x64).

Happy VPNing!


  1. how can implement TPM on openvpn

    1. Create a CSR from any TPM CSP or KSP, sign the CSR on your CA and import the certificate. For Windows' OpenVPN change the OVPN file from:

      ca ca.crt
      cert client.crt
      key client.key


      ca ca.crt
      cryptoapicert "THUMB:a6 f8 12 6f 50 0f 76 c0 26 a8 15 0c 63 05 17 59 f4 5c c0 46"

      Where the 'cryptoapicert' string is the Thumprint of your certificate

  2. Would you have a suggestion how to determine the CSP provider name for my Dell XPS13?

    1. - Does your XPS13 have a TPM, is it switched on and available in the OS?
      - Check available (TPM) CSPs here: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider]

    2. Thanks for your reply, Beau!

      My XPS13 does have TPM and it's switched on (checked in tpm.msc).
      First guess looking in the Provider list in my registry was to try "Microsoft Base Smart Card Crypto Provider" as all the names were starting with "Microsoft" and this one seemed a possible candidate.

      And it's working now!

      I'm really glad to have stumbled upon your template file and the certreq command. This is the key information that I was missing from all other sources.

    3. Hi Beau and Chris,

      Could you please provide the link to download "Microsoft Base Smart Card Crypto Provider" and how to use it to generate the INF file?


  3. Hi,
    I found this solution, and I'd like to ask you is it working nowadays as well??

    1. Sure, but maybe use the Windows 10 build-in TPM Virtual Smartcard...?


Real Time Web Analytics