How to use X.509 certificate generated on TPM for Azure DPS on Linux and C#

Question

We have embedded linux devices running .NET Core 3.1 that we want to provision with Azure DPS. We have a special use case that requires us to use X.509 certificates for device authentication and we want to use the same certificates for device provisioning with Azure DPS. The CSR is generated on a hardware TPM on the device and signed by a company CA, which is registered in DPS and we have an enrollment group set up for this CA.

Now how can we use this device certificate (public .pem on disk, private key on TPM) for device provisioning? We only found examples using either a full certificate on disk (public and private key in .pfx) or using a TPM with EK enrollment (which we don't want to do, because the manufacturing process is already designed for X.509).

In other words: Is there a way to create an instance of the needed X509Certificate2 class with the public .pem file and pointing it to the TPM for the private key?

Answer 1

Starting with .NET 8 it is possible to load a X509Certificate2 with private key in TPM2 using openssl tpm2tss engine with the following code snippet:

using SafeEvpPKeyHandle privateKey = SafeEvpPKeyHandle.OpenPrivateKeyFromEngine("tpm2tss", "device.tss");
using RSAOpenSsl rsa = new(privateKey);
using X509Certificate2 tmpCert = new X509Certificate2("device.crt");
using X509Certificate2 certificate = tmpCert.CopyWithPrivateKey(rsa);

Please note that this is known to work with openssl 1.1.1, which is already EOL.