Location of "Microsoft Hyper-V CA"

Nicolas Oliver 1 Reputation point
2021-01-19T16:40:53.697+00:00

I am using Hyper-V to test Trusted Platform Module (TPM) related functionality.
For this purpose, I have created a Generation 2 VM with vTPM enabled, and installed a Linux OS as the guest.
I extracted the Endorsement Key Certificate (EKCert) for the vTPM from the 0x1c00002 handle using tpm2-tools.
Then, use openssl to read the information of EKCert. This is the EKCert header:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1c:f4:08:f9:79:c6:87:31:aa:52:ab:36:47:3f:09:4f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Microsoft Hyper-V CA
        Validity
            Not Before: Jan 15 16:31:45 2021 GMT
            Not After : Jan 15 16:31:45 2022 GMT
        Subject: CN = Microsoft Hyper-V Virtual TPM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:db:79:2f:c9:3c:af:62:f5:d5:3b:fb:d4:7d:4f:
                    13:53:09:06:d7:39:8e:58:e4:c4:b2:ed:00:85:c5:
                    56:84:a2:43:87:98:fa:9d:3f:7a:11:17:13:c5:87:
                    75:c6:3e:96:eb:9d:41:b6:44:3f:57:82:d4:16:77:
                    6b:2f:3a:d6:67:e6:d5:56:9d:9c:72:a0:8a:dc:df:
                    bd:eb:46:1f:63:74:8d:65:97:b1:d9:5e:36:61:ed:
                    56:59:13:5c:53:5a:7b:a8:d2:a7:8e:03:51:98:d0:
                    7c:58:5e:ad:d5:15:11:18:9f:e4:8d:53:90:ca:c9:
                    6e:d8:c8:58:be:2d:3c:81:a6:cd:83:cd:5f:d7:4b:
                    b7:43:17:f0:e2:10:f4:ce:e6:fe:9d:2f:15:6c:28:
                    8d:9f:51:2a:30:ae:92:b4:63:f9:9c:40:00:e4:e3:
                    f0:a0:08:de:dd:29:05:0a:35:d8:a6:6a:2c:76:4c:
                    d1:bd:14:bb:85:33:b6:4c:07:2a:69:2a:85:a3:51:
                    ae:a3:58:51:3e:32:bc:4c:96:04:00:8b:bc:7c:70:
                    86:e5:b6:d8:a5:88:db:84:64:87:0d:9c:29:02:0e:
                    7d:6b:5f:06:96:49:82:41:5f:43:b2:69:fb:0b:34:
                    11:bc:c1:ed:26:e3:a0:a1:b3:26:bc:9d:89:74:3c:
                    b0:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:

As shown, the Certificate Authority (CA) that issued that EKCert is "Microsoft Hyper-V CA".
On a TPM based Remote Attestation scenario, the CA that issues the EKCert needs to be available for the Attestation Server so it can verify that the EKCert is trusted.
I could not find any documentation or blog post on where this "Microsoft Hyper-V CA" certificate is located. I guess by the Validity field dates that the certificate is local to my Hyper-V host, but I can't find a CA with that subject anywhere on my development laptop running Windows 10.

How can I access the "Microsoft Hyper-V CA"?

Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,577 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Mico Mi 1,921 Reputation points
    2021-01-20T08:00:20.163+00:00

    Hi,
    Since I’m not familiar with the TPM EKCert, can you find the certificate in Console-Certificates in your Hyper-V host or VM?
    58465-image.png
    I hope this doc could give you some help:
    https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-troubleshoot-hgs

    Thanks for your time!
    Best Regards,
    Mico Mi

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Nicolas Oliver 1 Reputation point
    2021-01-20T16:00:11.95+00:00

    Hello @Mico Mi ,

    I opened certlm to search the "Microsoft Hyper-V CA" cert, but could not find it.

    58663-microsoft-hyper-v-ca-not-found.jpg

    I also tried searching for the EKCert by Serial Number in all the stores, but was not found as well

    58654-search-by-serial-number-not-found.jpg

    Is there any special location where Hyper-V stores the certs?

    0 comments No comments

  3. Mico Mi 1,921 Reputation points
    2021-01-21T08:30:48.327+00:00

    Hi,
    Maybe you can try the following steps:

    1. Open Microsoft Management Console. Click Start, click Run, type mmc, and then click OK.
    2. Under the File menu, click Add/Remove Snap-in.
    3. Under Available snap-ins, click Certificates.
    4. Click Service account, and then click Next.
    5. Click Local computer and then click Next.
    6. In the Service account list, select Hyper-V Virtual Machine Management and then click Finish.
    7. In the navigation pane, expand Certificates.

    If you cannot find in the above service account, you can try to add other Hyper-V services.
    58960-image.png

    Thanks for your time!
    Best Regards,
    Mico Mi

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Nicolas Oliver 1 Reputation point
    2021-01-22T16:42:41.873+00:00

    No luck with this cert,

    I have added all the hyper-v services to the console, and visually inspected the stores, and used the find widget to search for the cert.
    And I still get a not found.

    59644-cert-not-found-in-any-store.jpg