Practical use case, x509 user identity cert

[ronnieissa]

Hello all.

The TPM has the capability to be the sole trusted identity of a user in an organization. This can bring huge benfits, especially in the Zero Trust realm. This is how I see it being played out...

The assumptions are these.

• The Org has its own internal/private CA.
• The Org uses Certificate Based Authentication to authenticate its users and devices.
• The Org uses SSO accross all services.

1. Org purchases laptop with TPM2.0 installed.
2. Org is onboarding a user-A, Org IT assigns laptop to user-A
3. Org IT creates a CSR with users principal name in the subject field using the TPM's EK as the backing Key pair.
4. Org Issues laptop to user-A
5. user-A protects TPM with pin or biometric material.
6. user-A now has an X509 certificate in the personal keystore and can access org resources and services.

The questions I have are based around how can we automate this process (either Zero-Touch or Lite-Touch)

• When Org IT create the CSR with the TPM, are they logged into a custom bootable image (maybe unikernel) that is meant for TPM Provisioning?
• The Org would likely have the signing Key be a physical Key so that way the CSR doesnt have to move from the laptop. (this might work for small Orgs, maybe sub 300 users or so, but this would need to be fully automated for larger orgs)
• With larger orgs, in a fully automated scenario, I can imagine the bootable unikernel has an option for zero touch provisioning, where the parameters were already set during compilation of the image or possibly the unikerenel grabs the parameters of the laptop then reaches out to a server API that tells it what principal name to assign to the CSR subject field.
• Once the CSR has been signed and returned to the TPM, how does the Signed Cert with Subect user-A get transfered automatically to the windows personal key store? Can windows pull the Cert direct from a PCR?

Thank you