[gnutls-help] Gnutls with TPM "Handshake failed"

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Mar 14 15:28:07 CET 2013

On 03/14/2013 12:22 PM, Florian Klickermann wrote:

> Hi all, and first excuse me to be totally beginner about gnutls .I'm trying
> to create certificates with the TPM and connect to a server.
> I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1.
> I've create the following keys and certificates (pubkey, ca-cert, ca-key,
> cert):
> $ tpmtool --generate-rsa --bits 2048 --register --user
> tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user
> $ tpmtool --pubkey
> "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user"
> --outfile=pubkey.pem

Up to this point you have a public and private key pair, and the private
key is stored in the TPM.

> $ certtool --generate-privkey --load-privkey
> "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile
> ca-key.pem

What are you actually trying to do here? That command doesn't make
sense. If you want to generate a private key, why do you load the TPM
private key?

> $ certtool --generate-certificate --outfile cert.pem --load-privkey

> "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user"
> --load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem
> --load-ca-privkey ca-key.pem

That last command would generate a certificate in cert.pem that
corresponds to the TPM key.

> For a first test I create a server on the BeagleBoard and connect with the
> client to local host and get the following client error:
> Server:
> $ gnutls-serv  --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile
> /etc/ssl/certs/ca-key.pem -p 443

That looks like a bug on the server. It wouldn't have started with the
options that you issued. A server requires --x509certfile and
--x509keyfile, and on those you should set the server's certificate and
private key, not that CAs.


More information about the Gnutls-help mailing list