[swtpm.git] / man / man8 / swtpm_cert.pod

=head1 NAME

swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)

=head1 SYNOPSIS

B<swtpm_cert [OPTIONS]>

=head1 DESCRIPTION

B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's
Endorsement Key. The reason for this specific tool is that it works  without access
to the Endorsement Key's private key. Typically tools require either a self-signed
certificate request or access to the private key to issue a certificate.
This tool works with only the public key part.


The following options are supported:

=over 4

=item B<--type {ek|platform}>

The type of certificate to create; by default an EK certificate is created.

=item B<--pubkey <filename>>

The public key (EK) in PEM format.

=item B<--modulus <hex digits>>

The modulus of the public key as a string of hex digits. This option
can be used in place of the --pubkey option.

=item B<--ecc-x <hex digits>>

The elliptic curve parameter x as string of hex digits.

=item B<--ecc-y <hex digits>>

The elliptic curve parameter y as string of hex digits.

=item B<--ecc-curveid <curve id>>

The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are supported.
If this option is not given, secp256r1 is assumed.

=item B<--exponent <exponent>>

The exponent of the public key. By default 0x10001 is assumed.

=item B<--signkey <filename>>

The key used for signing the certificate. The file must be in PEM format.

=item B<--signkey-password <password>>

Optional password for the signing key.

=item B<--signkey-pwd <pwd>>

This is an alternative option for passing the signing key password. The
following formats are supported for I<pwd>:

  - <password>                   : direct password
  - pass:<password>              : direct password
  - file:<filename>              : password in file
  - fd:<file descriptor>         : read password from file descriptor
  - env:<environment variable>   : read password from env. variable

All passwords read from files and file descriptors must be a maximum
of 255 bytes (plus one byte for terminating NUL byte).

=item B<--parentkey-password <password>>

Optional password for a parent key. In case a TPM key is used for signing
this would be the password for the TPM's storage root key (SRK).

=item B<--parentkey-pwd <pwd>>

This is an alternative option for passing the parentkey password. See
the description above for supported I<pwd> formats.

=item B<--issuercert <filename>>

The X.509 certificate of this signer that takes on the role of a local CA.

=item B<--out-cert <filename>>

The name of the file to write the X.509v3 certificate into. The output will
be in PEM format.

=item B<--serial <serial number>>

Optional 32bit serial number for the certificate.

=item B<--days <number>>

The number of days the certificate is valid; by default it is valid for 365 days.

=item B<--pem>

Write the resulting certificate in PEM format; DER format is the default.

=item B<--tpm-manufacturer <name>>

The name of the TPM manufacturer.

=item B<--tpm-model <model>>

The TPM model (part number).

=item B<--tpm-version <version>>

The TPM's firmware version.

=item B<--platform-manufacturer <name>>

The name of the platform manufacturer.

=item B<--platform-model <model>>

The platform model.

=item B<--platform-version <version>>

The platform's version.

=item B<--subject <subject>>

Subject to for example provide the location of the TPM in the format of
C=<country>,ST=<state>,L=<location>.
Note that the location must no contain any spaces.

=item B<--tpm2>

Issue TPM 2 compliant certificates.

=item B<--allow-signing>

Create an EK that can also be used for signing. Without this option, the
EK can only be used for key encipherment. This option requires --tpm2.

=item B<--decryption>

If --allow-signing is passed and the EK should also be useable for key
encipherment, this option must be passed. Otherwise key encipherment is the
default. This option requires --tpm2.

=item B<--print-capabilities> (since v0.3)

Print capabilities that were added to swtpm_cert after version 0.2.
The output may contain the following:

    {
      "type": "swtpm_cert",
      "features": [
        "cmdarg-signkey-pwd",
        "cmdarg-parentkey-pwd"
      ],
      "version": "0.7.0"
    }

The version field is available since 0.7.

The maining of the feature verbs is as follows:

=over 4

=item B<cmdarg-signkey-pwd>

The I<--signkey-pwd> option is supported.

=item B<cmdarg-parentkey-pwd>

The I<--parentkey-pwd> option is supported.

=back

=item B<--help, -h>

Display the help screen

=back

=head1 SEE ALSO

=head1 REPORTING BUGS

Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
Commit	Line	Data
e46a2b66 SB	1	=head1 NAME
e46a2b66 SB	2
5311e60e	3	swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)
e46a2b66 SB	4
	5	=head1 SYNOPSIS
	6
	7	B<swtpm_cert [OPTIONS]>
	8
	9	=head1 DESCRIPTION
	10
	11	B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's
	12	Endorsement Key. The reason for this specific tool is that it works without access
	13	to the Endorsement Key's private key. Typically tools require either a self-signed
	14	certificate request or access to the private key to issue a certificate.
	15	This tool works with only the public key part.
	16
	17
	18	The following options are supported:
	19
	20	=over 4
	21
b35eb9fc	22	=item B<--type {ek\|platform}>
e46a2b66 SB	23
	24	The type of certificate to create; by default an EK certificate is created.
	25
	26	=item B<--pubkey <filename>>
	27
	28	The public key (EK) in PEM format.
	29
	30	=item B<--modulus <hex digits>>
	31
	32	The modulus of the public key as a string of hex digits. This option
	33	can be used in place of the --pubkey option.
	34
fbc42b8d	35	=item B<--ecc-x <hex digits>>
276eee02 SB	36
	37	The elliptic curve parameter x as string of hex digits.
	38
fbc42b8d	39	=item B<--ecc-y <hex digits>>
276eee02 SB	40
	41	The elliptic curve parameter y as string of hex digits.
	42
fbc42b8d SB	43	=item B<--ecc-curveid <curve id>>
	44
	45	The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are supported.
	46	If this option is not given, secp256r1 is assumed.
	47
e46a2b66 SB	48	=item B<--exponent <exponent>>
	49
	50	The exponent of the public key. By default 0x10001 is assumed.
	51
	52	=item B<--signkey <filename>>
	53
	54	The key used for signing the certificate. The file must be in PEM format.
	55
	56	=item B<--signkey-password <password>>
	57
	58	Optional password for the signing key.
	59
b35eb9fc SB	60	=item B<--signkey-pwd <pwd>>
	61
	62	This is an alternative option for passing the signing key password. The
	63	following formats are supported for I<pwd>:
	64
	65	- <password> : direct password
	66	- pass:<password> : direct password
	67	- file:<filename> : password in file
	68	- fd:<file descriptor> : read password from file descriptor
	69	- env:<environment variable> : read password from env. variable
	70
	71	All passwords read from files and file descriptors must be a maximum
	72	of 255 bytes (plus one byte for terminating NUL byte).
	73
	74	=item B<--parentkey-password <password>>
fea89796 SB	75
	76	Optional password for a parent key. In case a TPM key is used for signing
	77	this would be the password for the TPM's storage root key (SRK).
	78
b35eb9fc SB	79	=item B<--parentkey-pwd <pwd>>
	80
	81	This is an alternative option for passing the parentkey password. See
	82	the description above for supported I<pwd> formats.
	83
e46a2b66 SB	84	=item B<--issuercert <filename>>
	85
	86	The X.509 certificate of this signer that takes on the role of a local CA.
	87
	88	=item B<--out-cert <filename>>
	89
	90	The name of the file to write the X.509v3 certificate into. The output will
	91	be in PEM format.
	92
	93	=item B<--serial <serial number>>
	94
	95	Optional 32bit serial number for the certificate.
	96
	97	=item B<--days <number>>
	98
	99	The number of days the certificate is valid; by default it is valid for 365 days.
	100
	101	=item B<--pem>
	102
	103	Write the resulting certificate in PEM format; DER format is the default.
	104
	105	=item B<--tpm-manufacturer <name>>
	106
	107	The name of the TPM manufacturer.
	108
	109	=item B<--tpm-model <model>>
	110
	111	The TPM model (part number).
	112
	113	=item B<--tpm-version <version>>
	114
	115	The TPM's firmware version.
	116
	117	=item B<--platform-manufacturer <name>>
	118
	119	The name of the platform manufacturer.
	120
	121	=item B<--platform-model <model>>
	122
	123	The platform model.
	124
	125	=item B<--platform-version <version>>
	126
	127	The platform's version.
	128
	129	=item B<--subject <subject>>
	130
	131	Subject to for example provide the location of the TPM in the format of
	132	C=<country>,ST=<state>,L=<location>.
	133	Note that the location must no contain any spaces.
	134
e5ffc74d SB	135	=item B<--tpm2>
	136
	137	Issue TPM 2 compliant certificates.
	138
	139	=item B<--allow-signing>
	140
770e7b81 SB	141	Create an EK that can also be used for signing. Without this option, the
	142	EK can only be used for key encipherment. This option requires --tpm2.
	143
	144	=item B<--decryption>
	145
	146	If --allow-signing is passed and the EK should also be useable for key
	147	encipherment, this option must be passed. Otherwise key encipherment is the
	148	default. This option requires --tpm2.
e5ffc74d	149
88c7bdc9 SB	150	=item B<--print-capabilities> (since v0.3)
	151
	152	Print capabilities that were added to swtpm_cert after version 0.2.
	153	The output may contain the following:
	154
	155	{
	156	"type": "swtpm_cert",
	157	"features": [
	158	"cmdarg-signkey-pwd",
	159	"cmdarg-parentkey-pwd"
55404e26 MAL	160	],
55404e26 MAL	161	"version": "0.7.0"
88c7bdc9 SB	162	}
88c7bdc9 SB	163
55404e26 MAL	164	The version field is available since 0.7.
55404e26 MAL	165
88c7bdc9 SB	166	The maining of the feature verbs is as follows:
	167
	168	=over 4
	169
	170	=item B<cmdarg-signkey-pwd>
	171
	172	The I<--signkey-pwd> option is supported.
	173
	174	=item B<cmdarg-parentkey-pwd>
	175
	176	The I<--parentkey-pwd> option is supported.
	177
	178	=back
	179
e46a2b66 SB	180	=item B<--help, -h>
	181
	182	Display the help screen
	183
	184	=back
	185
	186	=head1 SEE ALSO
	187
	188	=head1 REPORTING BUGS
	189
	190	Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>