1swtpm_localca(8)                                              swtpm_localca(8)
2
3
4

NAME

6       swtpm_localca  - Local CA to create EK and platform certs for swtpm
7

SYNOPSIS

9       swtpm_localca [OPTIONS]
10

DESCRIPTION

12       swtpm_localca is a tool to create TPM Endorsement Key (EK) and platform
13       certificates on the host. It uses the swtpm_cert program to create the
14       certificates.
15
16       The program will typically be invoked by the swtpm_setup program that
17       uses the /etc/swtpm_setup.conf configuration file where a variable
18       needs to be set that points to this program.  It implements command
19       line options that the swtpm_setup program uses to provide the necessary
20       parameters to it.
21
22       swtpm_localca will automatically try to create the signing key and
23       certificate if the configuration points to a missing signing key.
24       Since this certificate must be signed by a CA, a root certificate
25       authority will also be created and will sign this certificate. The root
26       CA's private key and certificate will be located in the same directory
27       as the signing key and have the names swtpm-localca-rootca-privkey.pem
28       and swtpm-localca-rootca-cert.pem respectively. The environment
29       variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root
30       CA's private key.
31
32       Note: Due to limitations of 'certtool', the possible passwords used for
33       securing the root CA's private key and the intermedia CA's private key
34       have to be passed over the command line and therefore will be visible
35       to others on the system. If you are concerned about this, you should
36       create the CAs elsewhere and copy them onto the target system.
37
38       The following options are supported:
39
40       --type type
41           This parameter indicates the type of certificate to create. The
42           type parameter may be one of the following: ek, or platform
43
44       --dir dir
45           This parameter indicates the directory into which the certificate
46           is to be stored.  The EK certificate is stored in this directory
47           under the name ek.cert and the platform certificate under the name
48           platform.cert.
49
50       --ek ek
51           This parameter indicates the modulus of the public key of the
52           endorsement key (EK). The public key is provided as a sequence of
53           ASCII hex digits.
54
55           In case ECC (elliptic curve crypography) keys are used, the
56           parameter must have the format --ek x=<hex digits>,y=<hex
57           digits>,id=<curve id>. The id=<curve id> part is optional and only
58           necessary for ECC curves other than secp256r1.
59
60       --vmid ID
61           This parameter indicates the ID of the VM for which to create the
62           certificate.
63
64       --logfile <logfile>
65           The log file to log output to; by default logging goes to stdout
66           and stderr on the console.
67
68       --configfile <configuration file>
69           The configuration file to use. If omitted, the default
70           configuration file /etc/swtpm-localca.conf will be used.
71
72       --optsfile <options file>
73           The options file to use. If omitted, the default options file
74           /etc/swtpm-localca.options will be used.
75
76       --tpm-spec-family, --tpm-spec-revision, --tpm-spec-level
77           TPM specification parameters that describe the specification that
78           was followed for the TPM implementation. The parameters will be
79           passed to swtpm_cert for the creation of the EK certificate.
80
81       --tpm2
82           Create TPM 2 compliant certificates.
83
84       --allow-signing
85           Create an EK that can also be used for signing. Without this
86           option, the EK can only be used for key encipherment. This option
87           requires --tpm2.
88
89       --decryption
90           If --allow-signing is passed and the EK should also be useable for
91           key encipherment, this option must be passed. Otherwise key
92           encipherment is the default. This option requires --tpm2.
93

SEE ALSO

95       swtpm-localca.conf, swtpm-localca.options, swtpm_setup,
96       swtpm_setup.conf
97

REPORTING BUGS

99       Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
100
101
102
103swtpm                             2023-08-15                  swtpm_localca(8)
Impressum