script/ekca/ek.cnf - third_party/github.com/tpm2-software/tpm2-tss - Git at Google

 oid_section = tcg_oids

 [ tcg_oids ]
 tcg-sv-tpm20            = 2.23.133.1.2
 tcg-at-tpmManufacturer  = 2.23.133.2.1
 tcg-at-tpmModel         = 2.23.133.2.2
 tcg-at-tpmVersion       = 2.23.133.2.3
 tcg-at-tpmSpecification = 2.23.133.2.16
 tcg-at-tpmSecurityAssertions = 2.23.133.2.18
 tcg-kp-EKCertificate    = 2.23.133.8.1

 [ req ]
 prompt                  = no
 distinguished_name      = distinguished_name
 subjectAltName          = subject_alt_name

 [ distinguished_name ]
 commonName              = this-tpm-sim
 organizationName        = tpm2-tss-testsuit

 [ req_ext ]
 subjectKeyIdentifier    = hash

 [ ek_ext ]
 certificatePolicies     = @polsect
 subjectAltName          = dirName:subAltName
 basicConstraints        = critical, CA:FALSE
 subjectDirectoryAttributes = ASN1:SEQUENCE:subDirAttr
 authorityKeyIdentifier  = keyid:always
 authorityInfoAccess     = caIssuers;URI.0:INTERMEDCRT
 crlDistributionPoints   = URI.0:INTERMEDCRL
 keyUsage                = critical, keyEncipherment
 #extendedKeyUsage        = tcg-kp-EKCertificate
 extendedKeyUsage        = 2.23.133.8.1

 [ polsect ]
 policyIdentifier = anyPolicy
 CPS.1="http://my.host.name/"

 [ subAltName ]
 #TPMManufacturer = 'TSS2'
 .2.23.133.2.1 = id:54535332
 .2.23.133.2.2 = tpmsimulator
 .2.23.133.2.3 = id:00020008

 #TODO: Remove
 [ subAltName1 ]
 C=DE
 O=Testing
 OU=whatever
 commonName=abc

 [ subDirAttr ]
 tcg-at-tpmSpecification = SEQUENCE:tpmspec
 #tcg-at-tpmSecurityAssertions = SEQUENCE:secassert

 [ tpmspec ]
 family = UTF8:2.0
 level = INT:0
 revision = INT:138

 #[ secassert ]
 #version = INT:0
 #fieldUpgradable = BOOL:false
 #...
	oid_section = tcg_oids

	[ tcg_oids ]
	tcg-sv-tpm20 = 2.23.133.1.2
	tcg-at-tpmManufacturer = 2.23.133.2.1
	tcg-at-tpmModel = 2.23.133.2.2
	tcg-at-tpmVersion = 2.23.133.2.3
	tcg-at-tpmSpecification = 2.23.133.2.16
	tcg-at-tpmSecurityAssertions = 2.23.133.2.18
	tcg-kp-EKCertificate = 2.23.133.8.1

	[ req ]
	prompt = no
	distinguished_name = distinguished_name
	subjectAltName = subject_alt_name

	[ distinguished_name ]
	commonName = this-tpm-sim
	organizationName = tpm2-tss-testsuit

	[ req_ext ]
	subjectKeyIdentifier = hash

	[ ek_ext ]
	certificatePolicies = @polsect
	subjectAltName = dirName:subAltName
	basicConstraints = critical, CA:FALSE
	subjectDirectoryAttributes = ASN1:SEQUENCE:subDirAttr
	authorityKeyIdentifier = keyid:always
	authorityInfoAccess = caIssuers;URI.0:INTERMEDCRT
	crlDistributionPoints = URI.0:INTERMEDCRL
	keyUsage = critical, keyEncipherment
	#extendedKeyUsage = tcg-kp-EKCertificate
	extendedKeyUsage = 2.23.133.8.1

	[ polsect ]
	policyIdentifier = anyPolicy
	CPS.1="http://my.host.name/"

	[ subAltName ]
	#TPMManufacturer = 'TSS2'
	.2.23.133.2.1 = id:54535332
	.2.23.133.2.2 = tpmsimulator
	.2.23.133.2.3 = id:00020008

	#TODO: Remove
	[ subAltName1 ]
	C=DE
	O=Testing
	OU=whatever
	commonName=abc

	[ subDirAttr ]
	tcg-at-tpmSpecification = SEQUENCE:tpmspec
	#tcg-at-tpmSecurityAssertions = SEQUENCE:secassert

	[ tpmspec ]
	family = UTF8:2.0
	level = INT:0
	revision = INT:138

	#[ secassert ]
	#version = INT:0
	#fieldUpgradable = BOOL:false
	#...