[Bug]: step-ca 0.28.3 use tpm2.0 get error "failed opening TPM: failed opening TPM: stat /dev/tpmrm0: no such file or directory"

[yangfande362]

Steps to Reproduce

I follow the TPM2.0 guideline, use "step kms" generate the intermediate_key in TPM2.0,
then use "step ca certificate --csr" get a intermediate.csr;
and get the intermediate.crt via a offline Root CA; after all , I replaced the crt in the .step/certs and modified the ca.json as the guideline, while run "sudo systemctl restart step-ca" get a error "failed opening TPM: failed opening TPM: stat /dev/tpmrm0: no such file or directory".

while I try to use "sudo step-ca /etc/step-ca/config/ca.json" to start a step-ca, get a error "failed getting key "intermediate-ca": not found", but I can get the key via "sudo step kms key 'tpmkms:name=intermediate-ca'"

Your Environment

• OS - Ubuntu22.04
• step-ca Version - 0.28.3, which build via source with CGO

Expected Behavior

I wish step-ca can work fine with TPM2.0.

Actual Behavior

I can use "step kms" generate the key, and get the intermediate.crt, but when I try to start step-ca, It failure to start.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Objects that are backed by a TPM are stored in a user-dependent directory: .step/tpm. It'll depend on which user executed certain commands where certain files will be. If you execute some command(s) as sudo, they'll likely be in /root/.step/tpm. Otherwise they'll reside in a directory under your user. You'll need to ensure that both the CA as well as your KMS invocations use 1) the same user, or 2) point to the same TPM storage directory (with tpmkms:storage-directory). For 1, you may need to add the CA user to the tss2 group. For 2, you'll have to change the URIs in your ca.json.