Peter Djalaliev wrote:
...It seems that all private keys (thank you for the correction here) generated in the TPM never leave it, unless they are marked as migratable and are migrated to another TPM. The corresponding public keys can be exported
In support of your conclusion: the ProtectTools Certificate Viewer can export certificates as files; and, even when it considers the private key to be 'available', it greys out the option of exporting the private key along with the certificate. The TPM is like the Mafia: when you're in, you're in.
I think I remember reading that it is possible to transfer a certificate to another TPM, including the private key, but it requires some kind of handshake with the target TPM; you cannot export to a file whose destination is unspecified.
I am perplexed by something: the export-to-file wizard in ProtectTools offers the user several file formats: DER encoded binary X.509 (.cer), Base-64 encoded X.509 (.cer), Cryptograhic Message Syntax Standard (.p7b), and PKCS#12 (.pfx). That last option, the PKCS#12 option, is always greyed out (unavailable); why? Might it be that .pfx requires that the private key be exported too?
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
