fsebugoutzone.org:9999

       Post AVxecpol3V1nsPCsOe by seanfurey@mas.to
 (DIR) More posts by seanfurey@mas.to
 (DIR) Post #AVxZFJqvEeFmJ7Bcwa by mjg59@nondeterministic.computer
       2023-05-23T21:58:44Z
       
       0 likes, 1 repeats
       
       I&#39;ve got a certificate stored in the Windows Platform Crypto Provider, associated with a TPM-backed key. Firefox can see it fine, but it doesn&#39;t show up in Chrome. Any ideas?
       
 (DIR) Post #AVxZSHAsVILRlXhP28 by dickon@splodge.fluff.org
       2023-05-23T22:01:43Z
       
       0 likes, 0 repeats
       
       @mjg59 Use Firefox.  Chrome isn&#39;t a user agent any longer -- it&#39;s a massive conflict of interest, and an advertiser agent -- and needs to die.Not the answer you were looking for, obviously.
       
 (DIR) Post #AVxZb0b9VFoYxh9Wb2 by fogti@chaos.social
       2023-05-23T22:02:36Z
       
       0 likes, 0 repeats
       
       @mjg59 maybe it has uses a separate key store
       
 (DIR) Post #AVxbMfPXgDNH6Z0kwC by alex_02@infosec.exchange
       2023-05-23T22:22:51Z
       
       0 likes, 0 repeats
       
       @mjg59 I don&#39;t use Chrome, but I did some google searches and found this:Also, &quot;While Firefox manages its own certificate store, Chrome, Edge and Internet Explorer defer certificate management to Windows.&quot;https://jpassing.com/2021/09/27/do-browsers-use-client-certificates-to-authenticate-the-user-the-device-or-both/No idea if this is related to your problem since it isn&#39;t particularly on TPM-backed key since I could only find problems with SSL/TLS. Also, check if you trusted the cert on your OS.
       
 (DIR) Post #AVxbk4ATneU6Y27iPQ by mjg59@nondeterministic.computer
       2023-05-23T22:27:17Z
       
       0 likes, 0 repeats
       
       @alex_02 The cert is in the Windows cert store, and Firefox is happy to pick it up from there. It&#39;s a client cert, there&#39;s no trust to configure.
       
 (DIR) Post #AVxbvYNBq3i3PdXv4S by alex_02@infosec.exchange
       2023-05-23T22:27:52Z
       
       0 likes, 0 repeats
       
       @mjg59 That&#39;s weird. Idk then. Sorry. &gt;_&lt;
       
 (DIR) Post #AVxdDlc1SDRZdjjU7E by acyberexpert@freeradical.zone
       2023-05-23T22:43:44Z
       
       0 likes, 0 repeats
       
       @mjg59 Completely quit Chrome and reopen it.
       
 (DIR) Post #AVxdSSw3B1lS3f6qJM by mjg59@nondeterministic.computer
       2023-05-23T22:46:42Z
       
       0 likes, 0 repeats
       
       @acyberexpert No change
       
 (DIR) Post #AVxecpol3V1nsPCsOe by seanfurey@mas.to
       2023-05-23T22:59:18Z
       
       0 likes, 0 repeats
       
       @mjg59 @alex_02 is chrome prepared to use non TPM backed client certs from there?
       
 (DIR) Post #AVxemJaDl0mMnavZNA by mjg59@nondeterministic.computer
       2023-05-23T23:00:22Z
       
       0 likes, 0 repeats
       
       @seanfurey @alex_02 I have software certs that are visible, but I don&#39;t know which of the crypto providers they&#39;re stored in
       
 (DIR) Post #AVxfMXulwzkhfjohEG by seanfurey@mas.to
       2023-05-23T23:07:38Z
       
       0 likes, 0 repeats
       
       @mjg59 @alex_02 i don&#39;t have any particular knowledge of this, but I&#39;d be trying to generate one and add it to that provider to see if chrome is actually looking there or whether it&#39;s uncomfortable with a tpm backed key.
       
 (DIR) Post #AVxh5KE9mokKCtneWu by acyberexpert@freeradical.zone
       2023-05-23T23:26:56Z
       
       0 likes, 0 repeats
       
       @mjg59 That’s a nuisance. Restarting my Chrome was always my way to force a reload of its cache of client certificates.
       
 (DIR) Post #AVxjAZq9MjJzzACdjU by mjg59@nondeterministic.computer
       2023-05-23T23:50:38Z
       
       0 likes, 0 repeats
       
       Ok it shows up if I install it into the current user store? But not if I install it into the machine-wide store?
       
 (DIR) Post #AVy5LllvXd8FAVyBU0 by jhaar@mastodon.nz
       2023-05-24T03:58:39Z
       
       0 likes, 0 repeats
       
       @mjg59 @alex_02 I can make up an explanation that tracks for me. The system store should only have device certs and the user store should only have user certs. Private keys in the user store are protected/encrypted via the standard cryptoAPI, whereas system store private keys tend to just sit there unencrypted. You are currently messing around with private keys in TPM modules by the sound of it, maybe that&#39;s rare enough that browsers don&#39;t support it?
       
 (DIR) Post #AVyEwv0H56Lg6LTADA by mjg59@nondeterministic.computer
       2023-05-24T05:46:43Z
       
       0 likes, 0 repeats
       
       @jhaar @alex_02 In theory the browser has no idea what&#39;s going on at all - it asks the store for a list of certs, and then asks it to sign requests as needed, the TPM logic happens in that layer. In Windows both the user store and the system store are implemented in the same layer, but with different access control - the browser ought to be able to query from both, though
       
 (DIR) Post #AVyH6U3SKYJpKFe8MS by mcepl@floss.social
       2023-05-24T06:10:41Z
       
       0 likes, 0 repeats
       
       @mjg59 You know my answer …
       
 (DIR) Post #AVyUUfsrIhbUMoYSwq by nwp@mastodon.nzoss.nz
       2023-05-24T08:40:25Z
       
       0 likes, 0 repeats
       
       @mjg59 Chrome might be doing that deliberately? Does do per-user installs in general doesn&#39;t it, by default? Last time I looked you had to get the &quot;Enterprise&quot; installer to get a machine-wide install. IIRC etc.