Reading Device Client Certificate from TPM 2.0 with PKCS#11

[ZarkoRunjevac]

Hi,
I am evaluating step-ca:hsm for serving short lived certificates, on edge device, from tpm 2.0 using PKCS#11.
Certificates are present in tpm(loaded there during device registration). We run step-ca with hsm support natively on Yocto linux.

My step ca.json is

{
  "root": "/etc/ssl/certs/cert.pem",
  "crt": "pkcs11:id:03;object=client;type=cert",
  "key": "pkcs11:id:01;object=tls;type=private",
  "kms": {
    "type": "pkcs11",
    "uri": "pkcs11:module-path=/usr/lib/pkcs11/libtpm2_pkcs11.so;token=aktualizr?pin-value=....."
  }
}

When i start step-ca service We receive:

For some reason crt can't be loaded from tpm(I managed to load it from file, but not from tpm slot).

Could you suggest how to load this crt?

Best regards,
Zarko.

[tashian]

Just a quick idea.
I was just looking at RFC7512 and it looks like id can only be followed by = in a pkcs11 URI.

[ZarkoRunjevac]

Hi, that was the copy/paste error when I filtered our code for github example.
I went through step-ca code(even though I am no Go developer) and I concluded that only private key can be loaded using pkcs#11, and that crt is is defined as IntermediateCert string in the Config struct and processed using pemutil.ReadCertificateBundle().
Best regards,
Zarko.