1swtpm_cert(8)                                                    swtpm_cert(8)
2
3
4

NAME

6       swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)
7

SYNOPSIS

9       swtpm_cert [OPTIONS]
10

DESCRIPTION

12       swtpm_cert is a local CA tool for creating X.509v3 certificates for the
13       TPM's Endorsement Key. The reason for this specific tool is that it
14       works  without access to the Endorsement Key's private key. Typically
15       tools require either a self-signed certificate request or access to the
16       private key to issue a certificate.  This tool works with only the
17       public key part.
18
19       The following options are supported:
20
21       --type {ek|platform}
22           The type of certificate to create; by default an EK certificate is
23           created.
24
25       --pubkey <filename>
26           The public key (EK) in PEM format.
27
28       --modulus <hex digits>
29           The modulus of the public key as a string of hex digits. This
30           option can be used in place of the --pubkey option.
31
32       --ecc-x <hex digits>
33           The elliptic curve parameter x as string of hex digits.
34
35       --ecc-y <hex digits>
36           The elliptic curve parameter y as string of hex digits.
37
38       --ecc-curveid <curve id>
39           The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are
40           supported.  If this option is not given, secp256r1 is assumed.
41
42       --exponent <exponent>
43           The exponent of the public key. By default 0x10001 is assumed.
44
45       --signkey <filename>
46           The key used for signing the certificate. The file must be in PEM
47           format.
48
49       --signkey-password <password>
50           Optional password for the signing key.
51
52       --signkey-pwd <pwd>
53           This is an alternative option for passing the signing key password.
54           The following formats are supported for pwd:
55
56             - <password>                   : direct password
57             - pass:<password>              : direct password
58             - file:<filename>              : password in file
59             - fd:<file descriptor>         : read password from file descriptor
60             - env:<environment variable>   : read password from env. variable
61
62           All passwords read from files and file descriptors must be a
63           maximum of 255 bytes (plus one byte for terminating NUL byte).
64
65       --parentkey-password <password>
66           Optional password for a parent key. In case a TPM key is used for
67           signing this would be the password for the TPM's storage root key
68           (SRK).
69
70       --parentkey-pwd <pwd>
71           This is an alternative option for passing the parentkey password.
72           See the description above for supported pwd formats.
73
74       --issuercert <filename>
75           The X.509 certificate of this signer that takes on the role of a
76           local CA.
77
78       --out-cert <filename>
79           The name of the file to write the X.509v3 certificate into. The
80           output will be in PEM format.
81
82       --serial <serial number>
83           Optional 32bit serial number for the certificate.
84
85       --days <number>
86           The number of days the certificate is valid; by default it is valid
87           for 365 days.
88
89       --pem
90           Write the resulting certificate in PEM format; DER format is the
91           default.
92
93       --tpm-manufacturer <name>
94           The name of the TPM manufacturer.
95
96       --tpm-model <model>
97           The TPM model (part number).
98
99       --tpm-version <version>
100           The TPM's firmware version.
101
102       --platform-manufacturer <name>
103           The name of the platform manufacturer.
104
105       --platform-model <model>
106           The platform model.
107
108       --platform-version <version>
109           The platform's version.
110
111       --subject <subject>
112           Subject to for example provide the location of the TPM in the
113           format of C=<country>,ST=<state>,L=<location>.  Note that the
114           location must no contain any spaces.
115
116       --tpm2
117           Issue TPM 2 compliant certificates.
118
119       --allow-signing
120           Create an EK that can also be used for signing. Without this
121           option, the EK can only be used for key encipherment. This option
122           requires --tpm2.
123
124       --decryption
125           If --allow-signing is passed and the EK should also be useable for
126           key encipherment, this option must be passed. Otherwise key
127           encipherment is the default. This option requires --tpm2.
128
129       --print-capabilities (since v0.3)
130           Print capabilities that were added to swtpm_cert after version 0.2.
131           The output may contain the following:
132
133               {
134                 "type": "swtpm_cert",
135                 "features": [
136                   "cmdarg-signkey-pwd",
137                   "cmdarg-parentkey-pwd"
138                 ]
139               }
140
141           The maining of the feature verbs is as follows:
142
143           cmdarg-signkey-pwd
144               The --signkey-pwd option is supported.
145
146           cmdarg-parentkey-pwd
147               The --parentkey-pwd option is supported.
148
149       --help, -h
150           Display the help screen
151

SEE ALSO

REPORTING BUGS

154       Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
155
156
157
158swtpm                             2021-01-27                     swtpm_cert(8)
Impressum