swtpm/man/man8/swtpm_localca.pod

=head1 NAME

swtpm_localca  - Local CA to create EK and platform certs for swtpm

=head1 SYNOPSIS

B<swtpm_localca [OPTIONS]>

=head1 DESCRIPTION

B<swtpm_localca> is a tool to create TPM Endorsement Key (EK) and platform
certificates on the host. It uses the I<swtpm_cert> program to create
the certificates.

The program will typically be invoked by the I<swtpm_setup> program
that uses the I</etc/swtpm_setup.conf> configuration file where
a variable needs to be set that points to this program.
It implements command line options that the I<swtpm_setup>
program uses to provide the necessary parameters to it.

B<swtpm_localca> will automatically try to create the signing key and
certificate if the configuration points to a missing signing key.
Since this certificate must be signed by a CA, a root certificate authority
will also be created and will sign this certificate. The root CA's
private key and certificate will be located in the same directory as the
signing key and have the names swtpm-localca-rootca-privkey.pem and
swtpm-localca-rootca-cert.pem respectively. The environment variable
SWTPM_ROOTCA_PASSWORD can be set for the password of the root CA's
private key.

Note: Due to limitations of 'certtool', the possible passwords used for
securing the root CA's private key and the intermediate CA's private
key have to be passed over the command line and therefore will be visible
to others on the system. If you are concerned about this, you should create
the CAs elsewhere and copy them onto the target system.

The following options are supported:

=over 4

=item B<--type type>

This parameter indicates the type of certificate to create. The type parameter may
be one of the following: I<ek>, or I<platform>

=item B<--dir dir>

This parameter indicates the directory into which the certificate is to be stored.
The EK certificate is stored in this directory under the name
ek.cert and the platform certificate under the name platform.cert.

=item B<--ek ek> or B<--key key>

This parameter indicates the modulus of the public key of the endorsement key
(EK). The public key is provided as a sequence of ASCII hex digits.

The --key option is an alias for --ek and should be used if key parameters
for another key than an endorsement key are passed.

In case ECC (elliptic curve cryptography) keys are used, the parameter must
have the format --ek x=<hex digits>,y=<hex digits>,id=<curve id>. The
id=<curve id> part is optional and only necessary for ECC curves other
than secp256r1.

=item B<--vmid ID>

This parameter indicates the ID of the VM for which to create the certificate.

=item B<--logfile <logfile>>

The log file to log output to; by default logging goes to stdout and stderr
on the console.

=item B<--configfile <configuration file>>

The configuration file to use. If omitted, the default configuration
file I</etc/swtpm-localca.conf> will be used.

=item B<--optsfile <options file>>

The options file to use. If omitted, the default options file
I</etc/swtpm-localca.options> will be used.

=item B<--tpm-spec-family>, B<--tpm-spec-revision>, B<--tpm-spec-level>

TPM specification parameters that describe the specification that was
followed for the TPM implementation. The parameters will be passed
to swtpm_cert for the creation of the EK certificate.

=item B<--tpm2>

Create TPM 2 compliant certificates.

=item B<--allow-signing>

Create an EK that can also be used for signing. Without this option, the
EK can only be used for key encipherment. This option requires --tpm2.

=item B<--decryption>

If --allow-signing is passed and the EK should also be usable for key
encipherment, this option must be passed. Otherwise key encipherment is the
default. This option requires --tpm2.

=back

=head1 SEE ALSO

B<swtpm-localca.conf>, B<swtpm-localca.options>, 
B<swtpm_setup>, B<swtpm_setup.conf>

=head1 REPORTING BUGS

Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>