1swtpm_cert(8)                                                    swtpm_cert(8)
2
3
4

NAME

6       swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)
7

SYNOPSIS

9       swtpm_cert [OPTIONS]
10

DESCRIPTION

12       swtpm_cert is a local CA tool for creating X.509v3 certificates for the
13       TPM's Endorsement Key. The reason for this specific tool is that it
14       works  without access to the Endorsement Key's private key. Typically
15       tools require either a self-signed certificate request or access to the
16       private key to issue a certificate.  This tool works with only the
17       public key part.
18
19       The following options are supported:
20
21       --type {ek|platform}
22           The type of certificate to create; by default an EK certificate is
23           created.
24
25       --pubkey <filename>
26           The public key (EK) in PEM format.
27
28       --modulus <hex digits>
29           The modulus of the public key as a string of hex digits. This
30           option can be used in place of the --pubkey option.
31
32       <--ecc-x <hex digits>>
33           The elliptic curve parameter x as string of hex digits.
34
35       <--ecc-y <hex digits>>
36           The elliptic curve parameter y as string of hex digits.
37
38       --exponent <exponent>
39           The exponent of the public key. By default 0x10001 is assumed.
40
41       --signkey <filename>
42           The key used for signing the certificate. The file must be in PEM
43           format.
44
45       --signkey-password <password>
46           Optional password for the signing key.
47
48       --signkey-pwd <pwd>
49           This is an alternative option for passing the signing key password.
50           The following formats are supported for pwd:
51
52             - <password>                   : direct password
53             - pass:<password>              : direct password
54             - file:<filename>              : password in file
55             - fd:<file descriptor>         : read password from file descriptor
56             - env:<environment variable>   : read password from env. variable
57
58           All passwords read from files and file descriptors must be a
59           maximum of 255 bytes (plus one byte for terminating NUL byte).
60
61       --parentkey-password <password>
62           Optional password for a parent key. In case a TPM key is used for
63           signing this would be the password for the TPM's storage root key
64           (SRK).
65
66       --parentkey-pwd <pwd>
67           This is an alternative option for passing the parentkey password.
68           See the description above for supported pwd formats.
69
70       --issuercert <filename>
71           The X.509 certificate of this signer that takes on the role of a
72           local CA.
73
74       --out-cert <filename>
75           The name of the file to write the X.509v3 certificate into. The
76           output will be in PEM format.
77
78       --serial <serial number>
79           Optional 32bit serial number for the certificate.
80
81       --days <number>
82           The number of days the certificate is valid; by default it is valid
83           for 365 days.
84
85       --pem
86           Write the resulting certificate in PEM format; DER format is the
87           default.
88
89       --tpm-manufacturer <name>
90           The name of the TPM manufacturer.
91
92       --tpm-model <model>
93           The TPM model (part number).
94
95       --tpm-version <version>
96           The TPM's firmware version.
97
98       --platform-manufacturer <name>
99           The name of the platform manufacturer.
100
101       --platform-model <model>
102           The platform model.
103
104       --platform-version <version>
105           The platform's version.
106
107       --subject <subject>
108           Subject to for example provide the location of the TPM in the
109           format of C=<country>,ST=<state>,L=<location>.  Note that the
110           location must no contain any spaces.
111
112       --tpm2
113           Issue TPM 2 compliant certificates.
114
115       --allow-signing
116           Create an EK that can also be used for signing. Without this
117           option, the EK can only be used for key encipherment. This option
118           requires --tpm2.
119
120       --decryption
121           If --allow-signing is passed and the EK should also be useable for
122           key encipherment, this option must be passed. Otherwise key
123           encipherment is the default. This option requires --tpm2.
124
125       --print-capabilities (since v0.3)
126           Print capabilities that were added to swtpm_cert after version 0.2.
127           The output may contain the following:
128
129               {
130                 "type": "swtpm_cert",
131                 "features": [
132                   "cmdarg-signkey-pwd",
133                   "cmdarg-parentkey-pwd"
134                 ]
135               }
136
137           The maining of the feature verbs is as follows:
138
139           cmdarg-signkey-pwd
140               The --signkey-pwd option is supported.
141
142           cmdarg-parentkey-pwd
143               The --parentkey-pwd option is supported.
144
145       --help, -h
146           Display the help screen
147

SEE ALSO

REPORTING BUGS
150       Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
151
152
153
154swtpm                             2020-01-27                     swtpm_cert(8)



        

    


            
        

        

            Impressum