private-keytpmcertutil

Does certutil's -csp "Microsoft Platform Crypto Provider" option store the private key in the TPM?


Does certutil -csp "Microsoft Platform Crypto Provider" -importpfx options really store the private key in the TPM? I am wondering why the output of certutil -key -csp "Microsoft Platform Crypto Provider" shows me a location on the harddisk...

Microsoft Platform Crypto Provider:
Test-637559044681743771-7df36675-f51c-4067-9f6d-31ca33d290b7
C:\ProgramData\Microsoft\Crypto\PCPKSP\33b114867a192aae5b73a3a968437c129ab577a4\ec03c4aa087abc780c3ff6448624456b0d1bf68c.PCPKEY RSA


Solution

  • The private key is wrapped by a key in the TPM (usually the Storage Root Key) and saved to disk. The TPM has to unlock the private key, so it is still secured by the TPM.

    It is possible to store a few keys in the TPM, but that's not typical.