Body |
My workaround is to use two templates. Enroll for Certificate 1, and use that as the required signing certificate for Certificate 2, as detailed below.
First, setup hardware key attestation (file whose name is the SHA2546 hash of the TPM endorsement key), hardware certificate attestation (create containers for Endorsement Key Root and Intermediate certificates, and imported TPM manufacturer's root and intermediate certificates into them), or both. If using certificates, you need to import the TPM manufacturer's root certificate into the Trusted Room Certification Authorities as well.
Template 1 - TPM-Key-Attestation. Microsoft Platform Crypto Provider, RSA algorithm, Require Key Attestation using hardware key, hardware certificate or both, Extensions: Endorsement key verified, Endorsement key certificate verified, or both), Authenticated Users Enroll permission.
Template 2 - Smartcard-Logon. Microsoft Smart Card Key Storage Provider, RSA algorithm, no key attestation, Issuance Requirements: 1 authorized signature, for Issuance policy: Endorsement key verified, Endorsement key certificate verified, or both), Authenticated Users Enroll permission.
|