CSR, Certificate validation error

[hoinmic]

Hello together

I am stuck with OpenSSL at one point. We send a CSR from a TPM to the PKI and the PKI sends back a certificate. Unfortunately, the certificate verification fails. The PKI has existed for some time and must continue to be used. The PKI signs the certificates with a SHA512. The TPM, for its part, can use algorithms up to sha384 ( TPM Infineon 9673 ). The problem is that openssl uses the TPM (which does not support this algorithm) to validate the certificate. In my opinion, OpenSSL could do this without the TPM.

I have now tried a few things with the propquery. For example:

...
-provider tpm2 -provider default -propquery ?provider=tpm2,provider-signature!=yes
...

But I always failed.

The procedure is as follows:

.....
openssl req -provider tpm2 -new \
-subj $csr_subject \
-key handle:$handle \
-out $client_crs_file \
-sha384
 
openssl cmp -provider tpm2 -provider default -propquery ?provider=tpm2,provider-signature!=yes \
-cmd ir \
-config "" \
-server 192.168.251.40:80 \
-path /api/cmp \
-unprotected_requests \
-unprotected_errors \
-srvcert IssuingCA2018.cacert.pem \
-subject $csr_subject \
-csr $client_crs_file \
-certout $received_cert \
-extracertsout $received_extracert \
-newkey handle:$handle \
-verbosity 8

The CMP IR displays the following response:

CMP info: sending IR
CMP info: received IP
CMP DEBUG: validating CMP message
WARNING:esys:/usr/src/debug/tpm2-tss/4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:314:Esys_LoadExternal_Finish() Received TPM Error
ERROR:esys:/usr/src/debug/tpm2-tss/4.0.1/src/tss2-esys/api/Esys_LoadExternal.c:108:Esys_LoadExternal() Esys Finish ErrorCode (0x000002e6)
CMP warning: CMP message signature verification failed
CMP error: cannot load key:742 tpm:parameter(2):curve not supported
CMP error: EVP lib
CMP error: error validating signature

Does anyone have any ideas what we could change or what we are doing wrong?