Ricky Gao Blog - Enjoy Learning

How to enable Virtual TPM on Hyper-V

TPM (Trusted Platform Module) is always the must have hardware chips on Windows platform. And VM (Virtual Machine) is always the easiest way for testing.

However, when it comes to specific security testing which rely on TPM, we need to start talk about TPM on VM.

Fortunately most of the virtualization platform today support Virtual TPM, and most of the Virtual TPM does NOT need hardware TPM on host device.

Hyper-v is even free on Windows 10 (Pro or Enterprise edition). so our testing environment now can be as simple as a Windows 10 device with multiple VMs running on it.

In order to enable Virtual TPM, you have to meet the below pre-requisites

1. Hardware support virtualization: almost every single CPU support it today

The host device does NOT need TPM hardware, below is my host machine

image

2. Windows Server 2016 Technical Preview, Windows 10 build 10586 or higher versions

3. WinRM

winrm quickconfig

clip_image002

Enable Virtual TPM

  1. Open a Windows PowerShell as an administrator.
  2. Run the following commands:

————————————————————————————————-

Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force

———————————————————————————————————————————————————————————————————

clip_image004

Reboot

Enable VM TPM settings

Settings->Security->Trusted Platform Module

clip_image006

Start VM

Check TPM status

clip_image008

Troubleshooting:

Sometimes above steps still cannot get it working, especially trying to enable on your existing VMs, just try below (thanks to my friend Bryce):

——————————————————————————————————————————

Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates

$Owner = Get-HgsGuardian -Name ‘Guardian’

$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Set-VMKeyProtector -VMName ‘Windows 10 Enterprise’ -KeyProtector $KeyProtector.RawData

Enable-VMTPM -VMName ‘Windows 10 Enterprise’

Replace ‘Windows 10 Enterprise’ with the name of your VM in hyperV

——————————————————————————————————————————-

More information about Hyper-V Virtual TMP can be found here

By rickygao on April 5, 2016 | HYPER-V, Tech, Windows Client | A comment?

How to renew your free StartCom SSL certificate

Last time, I talked about How to get a public signed FREE SSL certificate from StartCom, it’s been a while and the certificate maybe is already expired or about to expire.

clip_image001

So this time let’s talk about how to renew your free StartSSL certificate.

0. The first of first thing we need to check is your StartCom authentication certificate, which is your only identity to login into their portal

clip_image003

If unfortunately you lost your authentication certificate, you will get a very unfriendly page like below

clip_image005

Another way you can check if you still have that authentication certificate is from below:

Start->Run->certmgr.msc

Certificates – Current User – Personal

 

imageclip_image006

So I’ve lost my client authentication certificate, what shall I do?

Make sure that you are using the same computer and browser you used to register. If you are certain that you’ve lost the client certificate and you can’t login anymore, register once again by using a different email address (if the original certificate hasn’t expired yet). Contact the CertMaster with your details and we’ll try to associate your new client authentication certificate with your original account.

Once you’ve logged in, follow below steps to renew the SSL certificate:

1. Validate your domain and email

Follow the validation menu to validate your domain again.

After validation, you will see your domain has been validated as below

clip_image007

2. Renew user “Authentication Certificate”

Usually the user “Authentication Certificate” will be expired very soon as well, so we have to renew these certificate first to ensure we will still have access to the portal.

Click on “Certificates Wizard”

clip_image008

Choose “Authentication Certificate” as target

clip_image010

Select the key size

clip_image012

Select your validated email and Hash

clip_image014

The new user authentication certificate will be installed on your local user certificate store

clip_image016

3. Renew SSL certificate

Back to “Certificate Wizard”, select “SSL Certificate” this time

clip_image018

Confirm certificate details, create a password

clip_image020

Save the Private key to a local file

Note: This key is the encrypted key, we will decrypted for future use later

clip_image022

Choose your top domain

clip_image024

Type in the sub domain you want to renew the certificate

clip_image026

clip_image028

clip_image030

Save the certificate to a local file, will use it later

Decrypt the private key: copy the encrypted key file we saved earlier and create a password

clip_image032

Generate the P12 certificate

clip_image034

clip_image036

Save it

Note: if you need to convert .p12 certificate to .pfx, you will need to import the .p12 certificate to your local certificate store and export as .pfx

4. Upload newly renewed certificate

In my instance, I have to upload the new certificate to my ASUS Router and NAS

5. All done and enjoy

By rickygao on November 27, 2015 | PKI, Tech | A comment?

AD
ADFS
ADRMS
Android
Azure
Certification
Citrix
Cluster