A Trusted Platform Modul works almost like a Smart Card. The main difference is that a TPM is soldered to your motherboard.
In order to use a TPM for Authentication with SSH, two prerequisites are needed:
The following command will create a virtual Smart Cards under WIndows 10/11 (administrator rights needed):
tpmvscmgr.exe create /name TPM-Card /pin prompt /puk prompt /pinpolicy minlen 6 /adminkey random /generate
The virtual smart card will be empty. One way to store a private key into such a Smart card is to import a PKCS#12 file. But Windows will import private keys into a Smart Card only if the following values were set within the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider] "AllowPrivateSignatureKeyImport"=dword:1 "AllowPrivateExchangeKeyImport"=dword:1
When these values have been set a PKCS#12-file can be imported with:
certutil -csp "Microsoft Base Smart Card Crypto Provider" -importpfx cert-plus-key.p12You will find explanations on the Internet on how to create a PKCS#12-file containing a private key and a self signed certificate with OpenSSL.
Pageant.exe will use the private key only, so use whatever certificate you like.
For testing purposes you migth use the demo-keys from the download area.