]>
Commit | Line | Data |
---|---|---|
e46a2b66 SB |
1 | =head1 NAME |
2 | ||
5311e60e | 3 | swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0) |
e46a2b66 SB |
4 | |
5 | =head1 SYNOPSIS | |
6 | ||
7 | B<swtpm_cert [OPTIONS]> | |
8 | ||
9 | =head1 DESCRIPTION | |
10 | ||
11 | B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's | |
12 | Endorsement Key. The reason for this specific tool is that it works without access | |
13 | to the Endorsement Key's private key. Typically tools require either a self-signed | |
14 | certificate request or access to the private key to issue a certificate. | |
15 | This tool works with only the public key part. | |
16 | ||
17 | ||
18 | The following options are supported: | |
19 | ||
20 | =over 4 | |
21 | ||
b35eb9fc | 22 | =item B<--type {ek|platform}> |
e46a2b66 SB |
23 | |
24 | The type of certificate to create; by default an EK certificate is created. | |
25 | ||
26 | =item B<--pubkey <filename>> | |
27 | ||
28 | The public key (EK) in PEM format. | |
29 | ||
30 | =item B<--modulus <hex digits>> | |
31 | ||
32 | The modulus of the public key as a string of hex digits. This option | |
33 | can be used in place of the --pubkey option. | |
34 | ||
fbc42b8d | 35 | =item B<--ecc-x <hex digits>> |
276eee02 SB |
36 | |
37 | The elliptic curve parameter x as string of hex digits. | |
38 | ||
fbc42b8d | 39 | =item B<--ecc-y <hex digits>> |
276eee02 SB |
40 | |
41 | The elliptic curve parameter y as string of hex digits. | |
42 | ||
fbc42b8d SB |
43 | =item B<--ecc-curveid <curve id>> |
44 | ||
45 | The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are supported. | |
46 | If this option is not given, secp256r1 is assumed. | |
47 | ||
e46a2b66 SB |
48 | =item B<--exponent <exponent>> |
49 | ||
50 | The exponent of the public key. By default 0x10001 is assumed. | |
51 | ||
52 | =item B<--signkey <filename>> | |
53 | ||
54 | The key used for signing the certificate. The file must be in PEM format. | |
55 | ||
56 | =item B<--signkey-password <password>> | |
57 | ||
58 | Optional password for the signing key. | |
59 | ||
b35eb9fc SB |
60 | =item B<--signkey-pwd <pwd>> |
61 | ||
62 | This is an alternative option for passing the signing key password. The | |
63 | following formats are supported for I<pwd>: | |
64 | ||
65 | - <password> : direct password | |
66 | - pass:<password> : direct password | |
67 | - file:<filename> : password in file | |
68 | - fd:<file descriptor> : read password from file descriptor | |
69 | - env:<environment variable> : read password from env. variable | |
70 | ||
71 | All passwords read from files and file descriptors must be a maximum | |
72 | of 255 bytes (plus one byte for terminating NUL byte). | |
73 | ||
74 | =item B<--parentkey-password <password>> | |
fea89796 SB |
75 | |
76 | Optional password for a parent key. In case a TPM key is used for signing | |
77 | this would be the password for the TPM's storage root key (SRK). | |
78 | ||
b35eb9fc SB |
79 | =item B<--parentkey-pwd <pwd>> |
80 | ||
81 | This is an alternative option for passing the parentkey password. See | |
82 | the description above for supported I<pwd> formats. | |
83 | ||
e46a2b66 SB |
84 | =item B<--issuercert <filename>> |
85 | ||
86 | The X.509 certificate of this signer that takes on the role of a local CA. | |
87 | ||
88 | =item B<--out-cert <filename>> | |
89 | ||
90 | The name of the file to write the X.509v3 certificate into. The output will | |
91 | be in PEM format. | |
92 | ||
93 | =item B<--serial <serial number>> | |
94 | ||
95 | Optional 32bit serial number for the certificate. | |
96 | ||
97 | =item B<--days <number>> | |
98 | ||
99 | The number of days the certificate is valid; by default it is valid for 365 days. | |
100 | ||
101 | =item B<--pem> | |
102 | ||
103 | Write the resulting certificate in PEM format; DER format is the default. | |
104 | ||
105 | =item B<--tpm-manufacturer <name>> | |
106 | ||
107 | The name of the TPM manufacturer. | |
108 | ||
109 | =item B<--tpm-model <model>> | |
110 | ||
111 | The TPM model (part number). | |
112 | ||
113 | =item B<--tpm-version <version>> | |
114 | ||
115 | The TPM's firmware version. | |
116 | ||
117 | =item B<--platform-manufacturer <name>> | |
118 | ||
119 | The name of the platform manufacturer. | |
120 | ||
121 | =item B<--platform-model <model>> | |
122 | ||
123 | The platform model. | |
124 | ||
125 | =item B<--platform-version <version>> | |
126 | ||
127 | The platform's version. | |
128 | ||
129 | =item B<--subject <subject>> | |
130 | ||
131 | Subject to for example provide the location of the TPM in the format of | |
132 | C=<country>,ST=<state>,L=<location>. | |
133 | Note that the location must no contain any spaces. | |
134 | ||
e5ffc74d SB |
135 | =item B<--tpm2> |
136 | ||
137 | Issue TPM 2 compliant certificates. | |
138 | ||
139 | =item B<--allow-signing> | |
140 | ||
770e7b81 SB |
141 | Create an EK that can also be used for signing. Without this option, the |
142 | EK can only be used for key encipherment. This option requires --tpm2. | |
143 | ||
144 | =item B<--decryption> | |
145 | ||
146 | If --allow-signing is passed and the EK should also be useable for key | |
147 | encipherment, this option must be passed. Otherwise key encipherment is the | |
148 | default. This option requires --tpm2. | |
e5ffc74d | 149 | |
88c7bdc9 SB |
150 | =item B<--print-capabilities> (since v0.3) |
151 | ||
152 | Print capabilities that were added to swtpm_cert after version 0.2. | |
153 | The output may contain the following: | |
154 | ||
155 | { | |
156 | "type": "swtpm_cert", | |
157 | "features": [ | |
158 | "cmdarg-signkey-pwd", | |
159 | "cmdarg-parentkey-pwd" | |
160 | ] | |
161 | } | |
162 | ||
163 | The maining of the feature verbs is as follows: | |
164 | ||
165 | =over 4 | |
166 | ||
167 | =item B<cmdarg-signkey-pwd> | |
168 | ||
169 | The I<--signkey-pwd> option is supported. | |
170 | ||
171 | =item B<cmdarg-parentkey-pwd> | |
172 | ||
173 | The I<--parentkey-pwd> option is supported. | |
174 | ||
175 | =back | |
176 | ||
e46a2b66 SB |
177 | =item B<--help, -h> |
178 | ||
179 | Display the help screen | |
180 | ||
181 | =back | |
182 | ||
183 | =head1 SEE ALSO | |
184 | ||
185 | =head1 REPORTING BUGS | |
186 | ||
187 | Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com> |