How to determine if a self-signed cert was placed in the TPM?

2.3k views Asked by At

Is there a way to determine if a Certificate is in the TPM?

I have a Self-Signed certificate in the visible in the MMC and am trying to determine if it is in the TPM. I don't see any indicators of this in details of the certificate. Where would i find this information?

This is on a Windows Server 2016 computer and from what I can tell uses TPM 2.0.

1

There are 1 answers

1
user2076574 On

So after a lengthy search of the internet I found this:

call "certutil -store my $certname" in the command prompt.

if the provider is "Microsoft Platform Crypto Provider" then the certificate is utilizing the TPM.

if it is "Microsoft Software Key Storage Provider" then it was generated using a software key provider and was not generated by the TPM.

There are a few other options but they are less common, see https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps under provider option for the full list.