Petr Gotthard

Brilliant! Thank you for your perseverance.

Could it be the case you have `tpm2-tss` version 3.x and you didn't define `HAVE_TSS2_ESYS3`? I forgot to tell you this. Linux is doing this automatically, but on Windows (when...

There is also `#ifdef WITH_TSS2_RC`, which enables nicer TPM error codes. It requires `tss2-rc`. If you have built that (which is likely the case) I recommend defining `WITH_TSS2_RC` too. It...

This may be worse, unfortunately. Will you please send me the entire stderr trace that did end with the above error?

Oh, I missed the 0x80280400 error. You don't need to send me anything, the blocked ContextSave is the problem.

This is sad. I use ContextSave/ContextLoad for duplicating contexts, which is required to implement OpenSSL's hash sequence duplication. Not every OpenSSL operation requires duplicated sequences, but there are few. Let...

I don't think the pytss can create X.509 certificates. The `tpm2_pytss.ESAPI.certify` is [tpm2_certify](https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_certify.1.md), which is something completely different. To be honest, I am not aware of anything else suitable (other...

The manual is slightly confusing in this respect. It is optional at the lower layer only-- there can be a provider that does not implement `OSSL_FUNC_SIGNATURE_DUPCTX`, but such provider cannot...

And could you please write a draft test script indicating what should be the end result? Some shell script that would setup the TPM, create whatever needs to be created...

I suspect it may be because the certificate subject (`-subj`) does not match the server name.