[gnutls-help] Gnutls with TPM "Handshake failed"
nmav at gnutls.org
Thu Mar 14 15:28:07 CET 2013
On 03/14/2013 12:22 PM, Florian Klickermann wrote:
> Hi all, and first excuse me to be totally beginner about gnutls .I'm trying
> to create certificates with the TPM and connect to a server.
> I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1.
> I've create the following keys and certificates (pubkey, ca-cert, ca-key,
> $ tpmtool --generate-rsa --bits 2048 --register --user
> $ tpmtool --pubkey
Up to this point you have a public and private key pair, and the private
key is stored in the TPM.
> $ certtool --generate-privkey --load-privkey
> "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile
What are you actually trying to do here? That command doesn't make
sense. If you want to generate a private key, why do you load the TPM
> $ certtool --generate-certificate --outfile cert.pem --load-privkey
> --load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem
> --load-ca-privkey ca-key.pem
That last command would generate a certificate in cert.pem that
corresponds to the TPM key.
> For a first test I create a server on the BeagleBoard and connect with the
> client to local host and get the following client error:
> $ gnutls-serv --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile
> /etc/ssl/certs/ca-key.pem -p 443
That looks like a bug on the server. It wouldn't have started with the
options that you issued. A server requires --x509certfile and
--x509keyfile, and on those you should set the server's certificate and
private key, not that CAs.
More information about the Gnutls-help