Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?

Question

Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?

956 views Asked by lee23 At 06 May 2021 at 10:13

Does certutil -csp "Microsoft Platform Crypto Provider" -importpfx options really store the private key in the TPM? I am wondering why the output of certutil -key -csp "Microsoft Platform Crypto Provider" shows me a location on the harddisk...

Microsoft Platform Crypto Provider:
Test-637559044681743771-7df36675-f51c-4067-9f6d-31ca33d290b7
C:\ProgramData\Microsoft\Crypto\PCPKSP\33b114867a192aae5b73a3a968437c129ab577a4\ec03c4aa087abc780c3ff6448624456b0d1bf68c.PCPKEY RSA

Original Q&A

There are 1 answers

**melds** · Accepted Answer · 2021-07-12 17:01:47

melds On 12 July 2021 at 17:01 BEST ANSWER

The private key is wrapped by a key in the TPM (usually the Storage Root Key) and saved to disk. The TPM has to unlock the private key, so it is still secured by the TPM.

It is possible to store a few keys in the TPM, but that's not typical.

TechQA.

Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?

There are 1 answers

Related Questions in PRIVATE-KEY

Related Questions in TPM

Related Questions in CERTUTIL

Popular Questions

Popular Tags

Trending Questions