[swtpm.git] / man / man8 / swtpm_cert.pod

=head1 NAME

swtpm_cert

=head1 SYNOPSIS

B<swtpm_cert [OPTIONS]>

=head1 DESCRIPTION

B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's
Endorsement Key. The reason for this specific tool is that it works  without access
to the Endorsement Key's private key. Typically tools require either a self-signed
certificate request or access to the private key to issue a certificate.
This tool works with only the public key part.


The following options are supported:

=over 4

=item B<--type {ek|platform|aik}>

The type of certificate to create; by default an EK certificate is created.

=item B<--pubkey <filename>>

The public key (EK) in PEM format.

=item B<--modulus <hex digits>>

The modulus of the public key as a string of hex digits. This option
can be used in place of the --pubkey option.

=item <--ecc-x <hex digits>>

The elliptic curve parameter x as string of hex digits.

=item <--ecc-y <hex digits>>

The elliptic curve parameter y as string of hex digits.

=item B<--exponent <exponent>>

The exponent of the public key. By default 0x10001 is assumed.

=item B<--signkey <filename>>

The key used for signing the certificate. The file must be in PEM format.

=item B<--signkey-password <password>>

Optional password for the signing key.

=item B<--issuercert <filename>>

The X.509 certificate of this signer that takes on the role of a local CA.

=item B<--out-cert <filename>>

The name of the file to write the X.509v3 certificate into. The output will
be in PEM format.

=item B<--serial <serial number>>

Optional 32bit serial number for the certificate.

=item B<--days <number>>

The number of days the certificate is valid; by default it is valid for 365 days.

=item B<--pem>

Write the resulting certificate in PEM format; DER format is the default.

=item B<--tpm-manufacturer <name>>

The name of the TPM manufacturer.

=item B<--tpm-model <model>>

The TPM model (part number).

=item B<--tpm-version <version>>

The TPM's firmware version.

=item B<--platform-manufacturer <name>>

The name of the platform manufacturer.

=item B<--platform-model <model>>

The platform model.

=item B<--platform-version <version>>

The platform's version.

=item B<--subject <subject>>

Subject to for example provide the location of the TPM in the format of
C=<country>,ST=<state>,L=<location>.
Note that the location must no contain any spaces.

=item B<--tpm2>

Issue TPM 2 compliant certificates.

=item B<--allow-signing>

Create an EK that can also be used for signing. This option requires --tpm2.

=item B<--help, -h>

Display the help screen

=back

=head1 SEE ALSO

=head1 REPORTING BUGS

Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
Commit	Line	Data
e46a2b66 SB	1	=head1 NAME
	2
	3	swtpm_cert
	4
	5	=head1 SYNOPSIS
	6
	7	B<swtpm_cert [OPTIONS]>
	8
	9	=head1 DESCRIPTION
	10
	11	B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's
	12	Endorsement Key. The reason for this specific tool is that it works without access
	13	to the Endorsement Key's private key. Typically tools require either a self-signed
	14	certificate request or access to the private key to issue a certificate.
	15	This tool works with only the public key part.
	16
	17
	18	The following options are supported:
	19
	20	=over 4
	21
	22	=item B<--type {ek\|platform\|aik}>
	23
	24	The type of certificate to create; by default an EK certificate is created.
	25
	26	=item B<--pubkey <filename>>
	27
	28	The public key (EK) in PEM format.
	29
	30	=item B<--modulus <hex digits>>
	31
	32	The modulus of the public key as a string of hex digits. This option
	33	can be used in place of the --pubkey option.
	34
276eee02 SB	35	=item <--ecc-x <hex digits>>
	36
	37	The elliptic curve parameter x as string of hex digits.
	38
	39	=item <--ecc-y <hex digits>>
	40
	41	The elliptic curve parameter y as string of hex digits.
	42
e46a2b66 SB	43	=item B<--exponent <exponent>>
	44
	45	The exponent of the public key. By default 0x10001 is assumed.
	46
	47	=item B<--signkey <filename>>
	48
	49	The key used for signing the certificate. The file must be in PEM format.
	50
	51	=item B<--signkey-password <password>>
	52
	53	Optional password for the signing key.
	54
	55	=item B<--issuercert <filename>>
	56
	57	The X.509 certificate of this signer that takes on the role of a local CA.
	58
	59	=item B<--out-cert <filename>>
	60
	61	The name of the file to write the X.509v3 certificate into. The output will
	62	be in PEM format.
	63
	64	=item B<--serial <serial number>>
	65
	66	Optional 32bit serial number for the certificate.
	67
	68	=item B<--days <number>>
	69
	70	The number of days the certificate is valid; by default it is valid for 365 days.
	71
	72	=item B<--pem>
	73
	74	Write the resulting certificate in PEM format; DER format is the default.
	75
	76	=item B<--tpm-manufacturer <name>>
	77
	78	The name of the TPM manufacturer.
	79
	80	=item B<--tpm-model <model>>
	81
	82	The TPM model (part number).
	83
	84	=item B<--tpm-version <version>>
	85
	86	The TPM's firmware version.
	87
	88	=item B<--platform-manufacturer <name>>
	89
	90	The name of the platform manufacturer.
	91
	92	=item B<--platform-model <model>>
	93
	94	The platform model.
	95
	96	=item B<--platform-version <version>>
	97
	98	The platform's version.
	99
	100	=item B<--subject <subject>>
	101
	102	Subject to for example provide the location of the TPM in the format of
	103	C=<country>,ST=<state>,L=<location>.
	104	Note that the location must no contain any spaces.
	105
e5ffc74d SB	106	=item B<--tpm2>
	107
	108	Issue TPM 2 compliant certificates.
	109
	110	=item B<--allow-signing>
	111
	112	Create an EK that can also be used for signing. This option requires --tpm2.
	113
e46a2b66 SB	114	=item B<--help, -h>
	115
	116	Display the help screen
	117
	118	=back
	119
	120	=head1 SEE ALSO
	121
	122	=head1 REPORTING BUGS
	123
	124	Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>