1swtpm-localca(8) swtpm-localca(8)
2
6 swtpm-localca - Local CA to create EK and platform certs for swtpm
7
9 swtpm-localca [OPTIONS]
10
12 swtpm-localca is a tool to create TPM Endorsement Key (EK) and platform
13 certificates on the host. It uses the swtpm_cert program to create the
14 certificates.
15 The program will typically be invoked by the swtpm_setup program that
17 uses the /etc/swtpm_setup.conf configuration file where a variable
18 needs to be set that points to this program. It implements command
19 line options that the swtpm_setup program uses to provide the necessary
20 parameters to it.
21 swtpm-localca will automatically try to create the signing key and
23 certificate if the configuration points to a missing signing key.
24 Since this certificate must be signed by a CA, a root certificate
25 authority will also be created and will sign this certificate. The root
26 CA's private key and certificate will be located in the same directory
27 as the signing key and have the names swtpm-localca-rootca-privkey.pem
28 and swtpm-localca-rootca-cert.pem respectively. The environment
29 variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root
30 CA's private key.
31 The following options are supported:
33 --type type
35 This parameter indicates the type of certificate to create. The
36 type parameter may be one of the following: ek, or platform
37 --dir dir
39 This parameter indicates the directory into which the certificate
40 is to be stored. The EK certificate is stored in this directory
41 under the name ek.cert and the platform certificate under the name
42 platform.cert.
43 --ek ek
45 This parameter indicates the modulus of the public key of the
46 endorsement key (EK). The public key is provided as a sequence of
47 ASCII hex digits.
48 In case ECC (elliptic curve crypography) keys are used, the
50 parameter must have the format --ek x=<hex digits>,y=<hex digits>.
51 --vmid ID
53 This parameter indicates the ID of the VM for which to create the
54 certificate.
55 --logfile <logfile>
57 The log file to log output to; by default logging goes to stdout
58 and stderr on the console.
59 --configfile <configuration file>
61 The configuration file to use. If omitted, the default
62 configuration file /etc/swtpm-localca.conf will be used.
63 --optsfile <options file>
65 The options file to use. If omitted, the default options file
66 /etc/swtpm-localca.options will be used.
67 --tpm-spec-family, --tpm-spec-revision, --tpm-spec-level
69 TPM specification parameters that describe the specification that
70 was followed for the TPM implementation. The parameters will be
71 passed to swtpm_cert for the creation of the EK certificate.
72 --tpm2
74 Create TPM 2 compliant certificates.
75 --allow-signing
77 Create an EK that can also be used for signing. Without this
78 option, the EK can only be used for key encipherment. This option
79 requires --tpm2.
80 --decryption
82 If --allow-signing is passed and the EK should also be useable for
83 key encipherment, this option must be passed. Otherwise key
84 encipherment is the default. This option requires --tpm2.
85
87 swtpm-localca.conf, swtpm-localca.options, swtpm_setup,
88 swtpm_setup.conf
89
91 Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
92swtpm 2017-11-13 swtpm-localca(8)