Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2025-08-22 19:04:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
stable-0.9
swtpm/man/man8/swtpm_cert.pod
Stefan Berger 004aa538dd man: Fix a few spelling mistakes 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2023-07-17 20:46:43 -04:00

191 lines
4.6 KiB
Plaintext
Raw Permalink Blame History

=head1 NAME
swtpm_cert - Tool to create EK and platform certs for swtpm (1.2 & 2.0)
=head1 SYNOPSIS
B<swtpm_cert [OPTIONS]>
=head1 DESCRIPTION
B<swtpm_cert> is a local CA tool for creating X.509v3 certificates for the TPM's
Endorsement Key. The reason for this specific tool is that it works without access
to the Endorsement Key's private key. Typically tools require either a self-signed
certificate request or access to the private key to issue a certificate.
This tool works with only the public key part.
The following options are supported:
=over 4
=item B<--type {ek|platform}>
The type of certificate to create; by default an EK certificate is created.
=item B<--pubkey <filename>>
The public key (EK) in PEM format.
=item B<--modulus <hex digits>>
The modulus of the public key as a string of hex digits. This option
can be used in place of the --pubkey option.
=item B<--ecc-x <hex digits>>
The elliptic curve parameter x as string of hex digits.
=item B<--ecc-y <hex digits>>
The elliptic curve parameter y as string of hex digits.
=item B<--ecc-curveid <curve id>>
The elliptic curve's id. secp256r1, secp384r1, and secp521r1 are supported.
If this option is not given, secp256r1 is assumed.
=item B<--exponent <exponent>>
The exponent of the public key. By default 0x10001 is assumed.
=item B<--signkey <filename>>
The key used for signing the certificate. The file must be in PEM format.
=item B<--signkey-password <password>>
Optional password for the signing key.
=item B<--signkey-pwd <pwd>>
This is an alternative option for passing the signing key password. The
following formats are supported for I<pwd>:
- <password> : direct password
- pass:<password> : direct password
- file:<filename> : password in file
- fd:<file descriptor> : read password from file descriptor
- env:<environment variable> : read password from env. variable
All passwords read from files and file descriptors must be a maximum
of 255 bytes (plus one byte for terminating NUL byte).
=item B<--parentkey-password <password>>
Optional password for a parent key. In case a TPM key is used for signing
this would be the password for the TPM's storage root key (SRK).
=item B<--parentkey-pwd <pwd>>
This is an alternative option for passing the parentkey password. See
the description above for supported I<pwd> formats.
=item B<--issuercert <filename>>
The X.509 certificate of this signer that takes on the role of a local CA.
=item B<--out-cert <filename>>
The name of the file to write the X.509v3 certificate into. The output will
be in PEM format.
=item B<--serial <serial number>>
Optional 32bit serial number for the certificate.
=item B<--days <number>>
The number of days the certificate is valid; by default it is valid for 365 days.
=item B<--pem>
Write the resulting certificate in PEM format; DER format is the default.
=item B<--tpm-manufacturer <name>>
The name of the TPM manufacturer.
=item B<--tpm-model <model>>
The TPM model (part number).
=item B<--tpm-version <version>>
The TPM's firmware version.
=item B<--platform-manufacturer <name>>
The name of the platform manufacturer.
=item B<--platform-model <model>>
The platform model.
=item B<--platform-version <version>>
The platform's version.
=item B<--subject <subject>>
Subject to for example provide the location of the TPM in the format of
C=<country>,ST=<state>,L=<location>.
Note that the location must no contain any spaces.
=item B<--tpm2>
Issue TPM 2 compliant certificates.
=item B<--allow-signing>
Create an EK that can also be used for signing. Without this option, the
EK can only be used for key encipherment. This option requires --tpm2.
=item B<--decryption>
If --allow-signing is passed and the EK should also be usable for key
encipherment, this option must be passed. Otherwise key encipherment is the
default. This option requires --tpm2.
=item B<--print-capabilities> (since v0.3)
Print capabilities that were added to swtpm_cert after version 0.2.
The output may contain the following:
{
"type": "swtpm_cert",
"features": [
"cmdarg-signkey-pwd",
"cmdarg-parentkey-pwd"
],
"version": "0.7.0"
}
The version field is available since 0.7.
The maining of the feature verbs is as follows:
=over 4
=item B<cmdarg-signkey-pwd>
The I<--signkey-pwd> option is supported.
=item B<cmdarg-parentkey-pwd>
The I<--parentkey-pwd> option is supported.
=back
=item B<--help, -h>
Display the help screen
=back
=head1 SEE ALSO
=head1 REPORTING BUGS
Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>
Reference in New Issue View Git Blame Copy Permalink