Crypto/TLS: golang version of openssl tpm engine

I’m looking for a golang version of openssl-tpm-engine, is there one? Not sure if golang TLS supports engines/plugins.
Could not find much info on this topic on the internet, the closest thing I found was the Decryptor and Signer interfaces (

Any pointers on this is greatly appreciated.
Thank you!

Try below code.
This generates TLS certificate files.
sudo go run $GOROOT/src/crypto/tls/generate_cert.go --host hostname


Looks like a Homebrew path. A universally applicable alternative would be $(go env GOROOT)/src....

1 Like

Thanks, I’m lazy:sunglasses:

1 Like

Sorry, I was not clear in my original question. I want to know if go tls supports engine/plugin similar to openssl engine where one could use the tpm to store the keys safely and programmatically load the engine and have openssl access/load the keys. similar to what has been described in this blog

You got pretty close, you additionally need tls.Config and tls.Certificate:

var decrypter crypto.Decrypter
decrypter = <implement this>

cert := &tls.Certificate{}
cert.<other fields>
cert.PrivateKey = decrypter

conn, err := tls.Dial("tcp", "", &tls.Config{
	Certificates: []{cert},

I only found one crypto.Decrypter implementation (besides -

However, I guess you could implement one with… or use some OpenSSL binding to call TPM.


Thanks Egon for the useful links.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.