I want to deploy per-device client certificates to Windows workstations via Intune SCEP, with the private key generated and bound to the TPM (Microsoft Platform Crypto Provider, non-exportable). Winlogbeat would then use that cert for Kafka output.kafka mTLS, without ever exporting the key to disk.
A few questions:
-
Does Winlogbeat support referencing a client certificate directly from the Windows Certificate Store (e.g.
store://LocalMachine/My/<thumbprint>or similar)? If so, what's the current supported syntax and from which version? -
Does that path work with a TPM-bound, non-exportable private key? i.e., does Winlogbeat go through Schannel/CNG so the TPM handles signing, or does it expect raw key material it can read itself?
-
If TPM-bound keys aren't supported directly, is there a recommended pattern, or is Software KSP with an on-disk PFX the documented approach?
Filebeat version: 9.3.1
Thanks a lot in advanced!