1swtpm-localca(8)                                              swtpm-localca(8)
2
3
4

NAME

6       swtpm-localca  - Local CA to create EK and platform certs for swtpm
7

SYNOPSIS

9       swtpm-localca [OPTIONS]
10

DESCRIPTION

12       swtpm-localca is a tool to create TPM Endorsement Key (EK) and platform
13       certificates on the host. It uses the swtpm_cert program to create the
14       certificates.
15
16       The program will typically be invoked by the swtpm_setup program that
17       uses the /etc/swtpm_setup.conf configuration file where a variable
18       needs to be set that points to this program.  It implements command
19       line options that the swtpm_setup program uses to provide the necessary
20       parameters to it.
21
22       swtpm-localca will automatically try to create the signing key and
23       certificate if the configuration points to a missing signing key.
24       Since this certificate must be signed by a CA, a root certificate
25       authority will also be created and will sign this certificate. The root
26       CA's private key and certificate will be located in the same directory
27       as the signing key and have the names swtpm-localca-rootca-privkey.pem
28       and swtpm-localca-rootca-cert.pem respectively. The environment
29       variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root
30       CA's private key.
31
32       The following options are supported:
33
34       --type type
35           This parameter indicates the type of certificate to create. The
36           type parameter may be one of the following: ek, or platform
37
38       --dir dir
39           This parameter indicates the directory into which the certificate
40           is to be stored.  The EK certificate is stored in this directory
41           under the name ek.cert and the platform certificate under the name
42           platform.cert.
43
44       --ek ek
45           This parameter indicates the modulus of the public key of the
46           endorsement key (EK). The public key is provided as a sequence of
47           ASCII hex digits.
48
49           In case ECC (elliptic curve crypography) keys are used, the
50           parameter must have the format --ek x=<hex digits>,y=<hex digits>.
51
52       --vmid ID
53           This parameter indicates the ID of the VM for which to create the
54           certificate.
55
56       --logfile <logfile>
57           The log file to log output to; by default logging goes to stdout
58           and stderr on the console.
59
60       --configfile <configuration file>
61           The configuration file to use. If omitted, the default
62           configuration file /etc/swtpm-localca.conf will be used.
63
64       --optsfile <options file>
65           The options file to use. If omitted, the default options file
66           /etc/swtpm-localca.options will be used.
67
68       --tpm-spec-family, --tpm-spec-revision, --tpm-spec-level
69           TPM specification parameters that describe the specification that
70           was followed for the TPM implementation. The parameters will be
71           passed to swtpm_cert for the creation of the EK certificate.
72
73       --tpm2
74           Create TPM 2 compliant certificates.
75
76       --allow-signing
77           Create an EK that can also be used for signing. Without this
78           option, the EK can only be used for key encipherment. This option
79           requires --tpm2.
80
81       --decryption
82           If --allow-signing is passed and the EK should also be useable for
83           key encipherment, this option must be passed. Otherwise key
84           encipherment is the default. This option requires --tpm2.
85

SEE ALSO

87       swtpm-localca.conf, swtpm-localca.options, swtpm_setup,
88       swtpm_setup.conf
89

REPORTING BUGS

91       Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
92
93
94
95swtpm                             2017-11-13                  swtpm-localca(8)
Impressum