1swtpm_localca(8) swtpm_localca(8)
2
3
4
6 swtpm_localca - Local CA to create EK and platform certs for swtpm
7
9 swtpm_localca [OPTIONS]
10
12 swtpm_localca is a tool to create TPM Endorsement Key (EK) and platform
13 certificates on the host. It uses the swtpm_cert program to create the
14 certificates.
15
16 The program will typically be invoked by the swtpm_setup program that
17 uses the /etc/swtpm_setup.conf configuration file where a variable
18 needs to be set that points to this program. It implements command
19 line options that the swtpm_setup program uses to provide the necessary
20 parameters to it.
21
22 swtpm_localca will automatically try to create the signing key and
23 certificate if the configuration points to a missing signing key.
24 Since this certificate must be signed by a CA, a root certificate
25 authority will also be created and will sign this certificate. The root
26 CA's private key and certificate will be located in the same directory
27 as the signing key and have the names swtpm-localca-rootca-privkey.pem
28 and swtpm-localca-rootca-cert.pem respectively. The environment
29 variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root
30 CA's private key.
31
32 Note: Due to limitations of 'certtool', the possible passwords used for
33 securing the root CA's private key and the intermedia CA's private key
34 have to be passed over the command line and therefore will be visible
35 to others on the system. If you are concerned about this, you should
36 create the CAs elsewhere and copy them onto the target system.
37
38 The following options are supported:
39
40 --type type
41 This parameter indicates the type of certificate to create. The
42 type parameter may be one of the following: ek, or platform
43
44 --dir dir
45 This parameter indicates the directory into which the certificate
46 is to be stored. The EK certificate is stored in this directory
47 under the name ek.cert and the platform certificate under the name
48 platform.cert.
49
50 --ek ek
51 This parameter indicates the modulus of the public key of the
52 endorsement key (EK). The public key is provided as a sequence of
53 ASCII hex digits.
54
55 In case ECC (elliptic curve crypography) keys are used, the
56 parameter must have the format --ek x=<hex digits>,y=<hex
57 digits>,id=<curve id>. The id=<curve id> part is optional and only
58 necessary for ECC curves other than secp256r1.
59
60 --vmid ID
61 This parameter indicates the ID of the VM for which to create the
62 certificate.
63
64 --logfile <logfile>
65 The log file to log output to; by default logging goes to stdout
66 and stderr on the console.
67
68 --configfile <configuration file>
69 The configuration file to use. If omitted, the default
70 configuration file /etc/swtpm-localca.conf will be used.
71
72 --optsfile <options file>
73 The options file to use. If omitted, the default options file
74 /etc/swtpm-localca.options will be used.
75
76 --tpm-spec-family, --tpm-spec-revision, --tpm-spec-level
77 TPM specification parameters that describe the specification that
78 was followed for the TPM implementation. The parameters will be
79 passed to swtpm_cert for the creation of the EK certificate.
80
81 --tpm2
82 Create TPM 2 compliant certificates.
83
84 --allow-signing
85 Create an EK that can also be used for signing. Without this
86 option, the EK can only be used for key encipherment. This option
87 requires --tpm2.
88
89 --decryption
90 If --allow-signing is passed and the EK should also be useable for
91 key encipherment, this option must be passed. Otherwise key
92 encipherment is the default. This option requires --tpm2.
93
95 swtpm-localca.conf, swtpm-localca.options, swtpm_setup,
96 swtpm_setup.conf
97
99 Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
100
101
102
103swtpm 2023-08-15 swtpm_localca(8)