1swtpm_cert(8)                                                    swtpm_cert(8)
2
3
4

NAME

6       swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)
7

SYNOPSIS

9       swtpm_cert [OPTIONS]
10

DESCRIPTION

12       swtpm_cert is a local CA tool for creating X.509v3 certificates for the
13       TPM's Endorsement Key. The reason for this specific tool is that it
14       works  without access to the Endorsement Key's private key. Typically
15       tools require either a self-signed certificate request or access to the
16       private key to issue a certificate.  This tool works with only the
17       public key part.
18
19       The following options are supported:
20
21       --type {ek|platform|aik}
22           The type of certificate to create; by default an EK certificate is
23           created.
24
25       --pubkey <filename>
26           The public key (EK) in PEM format.
27
28       --modulus <hex digits>
29           The modulus of the public key as a string of hex digits. This
30           option can be used in place of the --pubkey option.
31
32       <--ecc-x <hex digits>>
33           The elliptic curve parameter x as string of hex digits.
34
35       <--ecc-y <hex digits>>
36           The elliptic curve parameter y as string of hex digits.
37
38       --exponent <exponent>
39           The exponent of the public key. By default 0x10001 is assumed.
40
41       --signkey <filename>
42           The key used for signing the certificate. The file must be in PEM
43           format.
44
45       --signkey-password <password>
46           Optional password for the signing key.
47
48       --parent-password <password>
49           Optional password for a parent key. In case a TPM key is used for
50           signing this would be the password for the TPM's storage root key
51           (SRK).
52
53       --issuercert <filename>
54           The X.509 certificate of this signer that takes on the role of a
55           local CA.
56
57       --out-cert <filename>
58           The name of the file to write the X.509v3 certificate into. The
59           output will be in PEM format.
60
61       --serial <serial number>
62           Optional 32bit serial number for the certificate.
63
64       --days <number>
65           The number of days the certificate is valid; by default it is valid
66           for 365 days.
67
68       --pem
69           Write the resulting certificate in PEM format; DER format is the
70           default.
71
72       --tpm-manufacturer <name>
73           The name of the TPM manufacturer.
74
75       --tpm-model <model>
76           The TPM model (part number).
77
78       --tpm-version <version>
79           The TPM's firmware version.
80
81       --platform-manufacturer <name>
82           The name of the platform manufacturer.
83
84       --platform-model <model>
85           The platform model.
86
87       --platform-version <version>
88           The platform's version.
89
90       --subject <subject>
91           Subject to for example provide the location of the TPM in the
92           format of C=<country>,ST=<state>,L=<location>.  Note that the
93           location must no contain any spaces.
94
95       --tpm2
96           Issue TPM 2 compliant certificates.
97
98       --allow-signing
99           Create an EK that can also be used for signing. Without this
100           option, the EK can only be used for key encipherment. This option
101           requires --tpm2.
102
103       --decryption
104           If --allow-signing is passed and the EK should also be useable for
105           key encipherment, this option must be passed. Otherwise key
106           encipherment is the default. This option requires --tpm2.
107
108       --help, -h
109           Display the help screen
110

SEE ALSO

REPORTING BUGS

113       Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
114
115
116
117swtpm                             2017-11-13                     swtpm_cert(8)
Impressum