Create a virtual smart cardEnsure the TPM is activated.
Start a Command Prompt as admin.
Create a Virtual Smart Card .
tpmvscmgr.exe create /name "[hostname] VSC" /pin prompt /adminkey random /generate
Creating TPM Smart Card...
Initializing the Virtual Smart Card component...
Creating the Virtual Smart Card component...
Initializing the Virtual Smart Card Simulator...
Creating the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card Reader...
Creating the Virtual Smart Card Reader...
Waiting for TPM Smart Card Device...
Authenticating to the TPM Smart Card...
Generating filesystem on the TPM Smart Card...
TPM Smart Card created.
Smart Card Reader Device Instance ID = ROOT\SMARTCARDREADER\0000
Generate a signing request and have the request signed to obtain a certificate.Create a request template in Notepad and save this as TPM-cert-template.inf .
Subject = "CN=[hostname],O=[Organisation],L=[Location],ST=[State],C=[Country]"
Keylength = 2048
Exportable = FALSE
UserProtected = TRUE
MachineKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80
Then generate a Certificate Request (CSR):
certreq -new -f TPM-cert-template.inf TPM-cert.csr
Send the CSR to your CA and have it signed. You should get a certificate in return.
Install the certificateDouble click the received certificate file (most likely .crt or .cer).
Click on the "Install certificate" button and follow the wizard.
When it's done, obtain the fingerprint of the certificate from the Details tab.
Configure OpenVPN to use the cryptoapi and certificateEdit the OpenVPN profile.
Instead of a "cert" and "key" configure "cryptoapicert" with your fingerprint:
cryptoapicert "THUMB:92 50 9d ea 52 f4 95 ee be a1 c0 4f ab f8 a2 2b 4d 91 0c 0a"
Save the profile and connect.
Enable SSH authentication with the Virtual SmartCardDownload and install puttywincrypt .
Configure putty to use the certificate under Connection -> SSH -> Auth by entering :
WinSCP turned out to work with the certificate through pageant when using "SCP" as protocol and checking the checkbox in SSH, Authentication "Attempt authentication using Pageant".
wmic path win32_PnPEntity where "DeviceID like '%smartcardreader%'" get Caption,DeviceID
Sources used https://technet.microsoft.com/en-us/library/dn579260.aspx