]>
Commit | Line | Data |
---|---|---|
e46a2b66 SB |
1 | =head1 NAME |
2 | ||
3 | swtpm_cert | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | B<swtpm_cert [OPTIONS]> | |
8 | ||
9 | =head1 DESCRIPTION | |
10 | ||
11 | B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's | |
12 | Endorsement Key. The reason for this specific tool is that it works without access | |
13 | to the Endorsement Key's private key. Typically tools require either a self-signed | |
14 | certificate request or access to the private key to issue a certificate. | |
15 | This tool works with only the public key part. | |
16 | ||
17 | ||
18 | The following options are supported: | |
19 | ||
20 | =over 4 | |
21 | ||
22 | =item B<--type {ek|platform|aik}> | |
23 | ||
24 | The type of certificate to create; by default an EK certificate is created. | |
25 | ||
26 | =item B<--pubkey <filename>> | |
27 | ||
28 | The public key (EK) in PEM format. | |
29 | ||
30 | =item B<--modulus <hex digits>> | |
31 | ||
32 | The modulus of the public key as a string of hex digits. This option | |
33 | can be used in place of the --pubkey option. | |
34 | ||
276eee02 SB |
35 | =item <--ecc-x <hex digits>> |
36 | ||
37 | The elliptic curve parameter x as string of hex digits. | |
38 | ||
39 | =item <--ecc-y <hex digits>> | |
40 | ||
41 | The elliptic curve parameter y as string of hex digits. | |
42 | ||
e46a2b66 SB |
43 | =item B<--exponent <exponent>> |
44 | ||
45 | The exponent of the public key. By default 0x10001 is assumed. | |
46 | ||
47 | =item B<--signkey <filename>> | |
48 | ||
49 | The key used for signing the certificate. The file must be in PEM format. | |
50 | ||
51 | =item B<--signkey-password <password>> | |
52 | ||
53 | Optional password for the signing key. | |
54 | ||
55 | =item B<--issuercert <filename>> | |
56 | ||
57 | The X.509 certificate of this signer that takes on the role of a local CA. | |
58 | ||
59 | =item B<--out-cert <filename>> | |
60 | ||
61 | The name of the file to write the X.509v3 certificate into. The output will | |
62 | be in PEM format. | |
63 | ||
64 | =item B<--serial <serial number>> | |
65 | ||
66 | Optional 32bit serial number for the certificate. | |
67 | ||
68 | =item B<--days <number>> | |
69 | ||
70 | The number of days the certificate is valid; by default it is valid for 365 days. | |
71 | ||
72 | =item B<--pem> | |
73 | ||
74 | Write the resulting certificate in PEM format; DER format is the default. | |
75 | ||
76 | =item B<--tpm-manufacturer <name>> | |
77 | ||
78 | The name of the TPM manufacturer. | |
79 | ||
80 | =item B<--tpm-model <model>> | |
81 | ||
82 | The TPM model (part number). | |
83 | ||
84 | =item B<--tpm-version <version>> | |
85 | ||
86 | The TPM's firmware version. | |
87 | ||
88 | =item B<--platform-manufacturer <name>> | |
89 | ||
90 | The name of the platform manufacturer. | |
91 | ||
92 | =item B<--platform-model <model>> | |
93 | ||
94 | The platform model. | |
95 | ||
96 | =item B<--platform-version <version>> | |
97 | ||
98 | The platform's version. | |
99 | ||
100 | =item B<--subject <subject>> | |
101 | ||
102 | Subject to for example provide the location of the TPM in the format of | |
103 | C=<country>,ST=<state>,L=<location>. | |
104 | Note that the location must no contain any spaces. | |
105 | ||
e5ffc74d SB |
106 | =item B<--tpm2> |
107 | ||
108 | Issue TPM 2 compliant certificates. | |
109 | ||
110 | =item B<--allow-signing> | |
111 | ||
112 | Create an EK that can also be used for signing. This option requires --tpm2. | |
113 | ||
e46a2b66 SB |
114 | =item B<--help, -h> |
115 | ||
116 | Display the help screen | |
117 | ||
118 | =back | |
119 | ||
120 | =head1 SEE ALSO | |
121 | ||
122 | =head1 REPORTING BUGS | |
123 | ||
124 | Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com> |