1swtpm-create-tpmca(8)                                    swtpm-create-tpmca(8)
2
3
4

NAME

6       swtpm-create-tpmca
7

SYNOPSIS

9       swtpm-create-tpmca [OPTIONS]
10

DESCRIPTION

12       swtpm-create-tpmca is a tool to create a TPM 1.2 based CA that can be
13       used by swtpm-localca to sign EK and platform certificates.  The CA
14       uses a GnuTLS key to sign certificates. To do this, GnuTLS talks to the
15       TPM 1.2 using the tcsd (TrouSerS) daemon.
16
17       Since the TPM CA's certificate must be signed by a CA, a root
18       certificate authority will also be created and will sign this
19       certificate. The root CA's private key and certificate will be located
20       in the same directory as the signing key and have the names
21       swtpm-localca-rootca-privkey.pem and swtpm-localca-rootca-cert.pem
22       respectively. The environment variable SWTPM_ROOTCA_PASSWORD can be set
23       for the password of the root CA's private key.
24
25       Note: This tool is experimental. See the section on known issues below.
26
27       The following options are supported:
28
29       --dir dir
30           The directory where the keys will be written to. An existing root
31           CA with the files swtpm-localca-rootca-privkey.pem and
32           swtpm-localca-rootca-cert.pem in this directory will be reused. If
33           either one of these files does not exist, a new root CA will be
34           created.
35
36       --overwrite
37           Overwrite the contents of the output directory.
38
39       --register
40           Register the key with TCSD. For the key to be available for
41           signing, the same user that created the TPM CA has to run the
42           swtpm-localca later on. If this option is not passed, the private
43           key is written into a file and can be used by others as well.
44
45       --key-password s
46           The new signing key will get this password.
47
48           Note: Due to a bug in GnuTLS certtool it may be necessary to use
49           the same password for the signing key as for the SRK.
50
51       --srk-password s
52           The TPM SRK password.
53
54           Note: Since GnuTLS tpmtool does not support the 'well known'
55           password of 20 zero bytes, the SRK password must be set.
56
57       --outfile filename
58           The name of a file where to write the swtpm-localca.conf
59           configuration to.
60
61       --owner owner
62           The name or uid number of the owner who will own the directory and
63           outfile file. This option only has an effect if this swtpm-create-
64           tpmca is run by the root user.
65
66       --group group
67           The name or gid number of the group who will own the directory and
68           outfile file. This option only has an effect if this swtpm-create-
69           tpmca is run by the root user.
70
71       --tss-tcsd-hostname
72           The hostname where tcsd is running on. The default hostname is
73           'localhost'.
74
75       -tss-tcsd-port
76           The TCP port on which tcsd is listening for messages. The default
77           port is 30003.
78
79       --tpm2
80           The TPM to use for signing the certificates is a TPM 2 and Intel's
81           TSS stack must be running (tpm2-abrmd) along with its PKCS11
82           module.  The TPM 2 PKCS11 module must have been initialized using
83           the tpm2_ptool.
84
85           The environment variables SWTPM_PKCS11_PIN and SWTPM_PKCS11_SO_PIN
86           should be set to hold the PINs. If SWTPM_PKCS11_PIN is not set then
87           the default PIN 'swtpm-tpmca' will be used. SWTPM_PKCS11_SO_PIN is
88           needed for creating the token and must be explicitly set as an
89           environment variable.
90
91       --pid pimary-object-id
92           The primary object id that the tpm2_ptool returns upon 'init'.
93
94       -help, -h, -?
95           Display the help screen and exit.
96

EXAMPLE

98       The following example creates an intermediate TPM CA and writes the
99       keys into /var/lib/swtpm-localca and the swtpm-localca configuration to
100       /etc/swtpm-localca.conf. It can then be used for signing certificates
101       of newly created swtpm TPMs.
102
103       If the host's TPM is a TPM 1.2, we need to start the tcsd first and can
104       then create the TPM key and TPM CA certificate:
105
106        #> sudo systemctl start tcsd
107        #> sudo /usr/share/swtpm/swtpm-create-tpmca \
108                       --dir /var/lib/swtpm-localca \
109                       --overwrite \
110                       --outfile /etc/swtpm-localca.conf \
111                       --srk-password password \
112                       --key-password password \
113                       --group tss
114        statedir = /var/lib/swtpm-localca
115        signingkey = tpmkey:file=/var/lib/swtpm-localca/swtpm-localca-tpmca-privkey.pem
116        issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
117        certserial = /var/lib/swtpm-localca/certserial
118        TSS_TCSD_HOSTNAME = localhost
119        TSS_TCSD_PORT = 30003
120        signingkey_password = password
121        parentkey_password = password
122
123       Alternatively, if the host's TPM is a TPM 2 and Intel's TPM 2 stack is
124       installed, we need to start tpm2-abrmd first and can then create the
125       TPM key and TPM CA certificate:
126
127        #> sudo systemctl start tpm2-abrmd
128        #> tpm2_ptool init
129        action: Created
130        id: 1                   # this is the --pid parameter below
131        #> sudo SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN=123 /usr/share/swtpm/swtpm-create-tpmca \
132                       --dir /var/lib/swtpm-localca \
133                       --overwrite \
134                       --outfile /etc/swtpm-localca.conf \
135                       --group tss \
136                       --tpm2 \
137                       --pid 1
138        statedir = /var/lib/swtpm-localca
139        signingkey = pkcs11:model=SW%20%20%20TPM\;manufacturer=IBM\;serial=0000000000000000\;token=swtpm-tpmca-1\;id=%31\;object=swtpm-tpmca-key\;type=private
140        issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
141        certserial = /var/lib/swtpm-localca/certserial
142        SWTPM_PKCS11_PIN = mypin 123
143
144       Note: This also works for non-root users by adapting the --dir and
145       --outfile parameters here and below by changing the --dir parameter and
146       adding a --config parameter.
147
148       To test either one of the above TPM CAs, run the following command:
149
150        #> /usr/share/swtpm/swtpm-localca \
151               --type ek --ek x=11,y=13 \
152               --dir /tmp --vmid test --tpm2 \
153               --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
154               --tpm-model swtpm --tpm-version 20170101 --tpm-manufacturer IBM
155
156       The --tpm2 in this command indicates that the TPM for which the
157       certificate is created is a TPM 2.
158

KNOWN ISSUES

160       The interaction of GnuTLS certtool with the TPM TCSD daemon may cause
161       so many TPM (key) authentication failures that the TPM refuses to
162       accept any more authenticated commands until the TPM's owner sends it
163       the TPM_ORD_ResetLockValue command. The reason for this is that
164       certtool first tries to use 20 zero bytes for the SRK password and only
165       then prompts for and uses the required SRK password. The GnuTLS tpmtool
166       does not support 20 zero bytes for the SRK password, so forces the
167       usage of a 'real' password.
168
169       The effect of the authentication failures may be that the TPM CA cannot
170       sign certificates since the TPM does not accept authenticated commands.
171

SEE ALSO

173       swtpm-localca, swtpm-localca.conf, tcsd
174

REPORTING BUGS

176       Report bugs to Stefan Berger <stefanb@linux.ibm.com>
177
178
179
180swtpm                             2021-01-27             swtpm-create-tpmca(8)