This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Hi,
We have an issue on some older TPM 1.2 devices with user certs being used for always on VPN.
It seems this is an existing issue for RSA algorithms on these older modules, with TPM 2.0 not suffering the same issue.
As we deploy VPN user auth certs via AD CA enrollment, we want to find if there is a way to store this cert/key in software crypto provider, only on those machines that have TPM 1.2 modules.
We can obviously update the cert template to remove the Platform Crypto Provider option, but we would prefer, if possible, to keep TPM 2.0 devices storing the cert in the hardware TPM module.
Many thanks.
James
Hi,
Anyone advise any way of doing this, or do we have to just make a decision on whether to store this cert/key in software for ALL machines?
Cheers
James
We have decided to simply have this particular cert set to store in software provider, rather than hardware, which resolves our issue (albeit not in a perfect way).