| =head1 NAME |
| |
| swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0) |
| |
| =head1 SYNOPSIS |
| |
| B<swtpm_cert [OPTIONS]> |
| |
| =head1 DESCRIPTION |
| |
| B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's |
| Endorsement Key. The reason for this specific tool is that it works without access |
| to the Endorsement Key's private key. Typically tools require either a self-signed |
| certificate request or access to the private key to issue a certificate. |
| This tool works with only the public key part. |
| |
| |
| The following options are supported: |
| |
| =over 4 |
| |
| =item B<--type {ek|platform}> |
| |
| The type of certificate to create; by default an EK certificate is created. |
| |
| =item B<--pubkey <filename>> |
| |
| The public key (EK) in PEM format. |
| |
| =item B<--modulus <hex digits>> |
| |
| The modulus of the public key as a string of hex digits. This option |
| can be used in place of the --pubkey option. |
| |
| =item B<--ecc-x <hex digits>> |
| |
| The elliptic curve parameter x as string of hex digits. |
| |
| =item B<--ecc-y <hex digits>> |
| |
| The elliptic curve parameter y as string of hex digits. |
| |
| =item B<--ecc-curveid <curve id>> |
| |
| The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are supported. |
| If this option is not given, secp256r1 is assumed. |
| |
| =item B<--exponent <exponent>> |
| |
| The exponent of the public key. By default 0x10001 is assumed. |
| |
| =item B<--signkey <filename>> |
| |
| The key used for signing the certificate. The file must be in PEM format. |
| |
| =item B<--signkey-password <password>> |
| |
| Optional password for the signing key. |
| |
| =item B<--signkey-pwd <pwd>> |
| |
| This is an alternative option for passing the signing key password. The |
| following formats are supported for I<pwd>: |
| |
| - <password> : direct password |
| - pass:<password> : direct password |
| - file:<filename> : password in file |
| - fd:<file descriptor> : read password from file descriptor |
| - env:<environment variable> : read password from env. variable |
| |
| All passwords read from files and file descriptors must be a maximum |
| of 255 bytes (plus one byte for terminating NUL byte). |
| |
| =item B<--parentkey-password <password>> |
| |
| Optional password for a parent key. In case a TPM key is used for signing |
| this would be the password for the TPM's storage root key (SRK). |
| |
| =item B<--parentkey-pwd <pwd>> |
| |
| This is an alternative option for passing the parentkey password. See |
| the description above for supported I<pwd> formats. |
| |
| =item B<--issuercert <filename>> |
| |
| The X.509 certificate of this signer that takes on the role of a local CA. |
| |
| =item B<--out-cert <filename>> |
| |
| The name of the file to write the X.509v3 certificate into. The output will |
| be in PEM format. |
| |
| =item B<--serial <serial number>> |
| |
| Optional 32bit serial number for the certificate. |
| |
| =item B<--days <number>> |
| |
| The number of days the certificate is valid; by default it is valid for 365 days. |
| |
| =item B<--pem> |
| |
| Write the resulting certificate in PEM format; DER format is the default. |
| |
| =item B<--tpm-manufacturer <name>> |
| |
| The name of the TPM manufacturer. |
| |
| =item B<--tpm-model <model>> |
| |
| The TPM model (part number). |
| |
| =item B<--tpm-version <version>> |
| |
| The TPM's firmware version. |
| |
| =item B<--platform-manufacturer <name>> |
| |
| The name of the platform manufacturer. |
| |
| =item B<--platform-model <model>> |
| |
| The platform model. |
| |
| =item B<--platform-version <version>> |
| |
| The platform's version. |
| |
| =item B<--subject <subject>> |
| |
| Subject to for example provide the location of the TPM in the format of |
| C=<country>,ST=<state>,L=<location>. |
| Note that the location must no contain any spaces. |
| |
| =item B<--tpm2> |
| |
| Issue TPM 2 compliant certificates. |
| |
| =item B<--allow-signing> |
| |
| Create an EK that can also be used for signing. Without this option, the |
| EK can only be used for key encipherment. This option requires --tpm2. |
| |
| =item B<--decryption> |
| |
| If --allow-signing is passed and the EK should also be usable for key |
| encipherment, this option must be passed. Otherwise key encipherment is the |
| default. This option requires --tpm2. |
| |
| =item B<--print-capabilities> (since v0.3) |
| |
| Print capabilities that were added to swtpm_cert after version 0.2. |
| The output may contain the following: |
| |
| { |
| "type": "swtpm_cert", |
| "features": [ |
| "cmdarg-signkey-pwd", |
| "cmdarg-parentkey-pwd" |
| ], |
| "version": "0.7.0" |
| } |
| |
| The version field is available since 0.7. |
| |
| The maining of the feature verbs is as follows: |
| |
| =over 4 |
| |
| =item B<cmdarg-signkey-pwd> |
| |
| The I<--signkey-pwd> option is supported. |
| |
| =item B<cmdarg-parentkey-pwd> |
| |
| The I<--parentkey-pwd> option is supported. |
| |
| =back |
| |
| =item B<--help, -h> |
| |
| Display the help screen |
| |
| =back |
| |
| =head1 SEE ALSO |
| |
| =head1 REPORTING BUGS |
| |
| Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com> |