This repository has been archived by the owner on May 16, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
Create certificate
Iwan Timmer edited this page Feb 11, 2018
·
1 revision
Some applications require a certificate, before able to use the private key in the TPM. This certificate contains the public key, information about the user and can be signed by a trusted CA.
- Create a directory, like ~/.tpm2/certs, for storing the certificates.
- Let certificates in ~/.tpm2/config point to the created directory
- Create a certificate and store it in the directory using one of the following software
- List all private keys stored in the TPM2
p11tool --list-privkeys pkcs11:model=TPM2
- Create a certificate request to let a trusted party sign your certificate (replace LABEL with the Label from the key you want to use)
certtool --generate-request --load-privkey "pkcs11:model=TPM2;object=LABEL;type=private" \
--load-pubkey "pkcs11:model=TPM2;object=LABEL;type=public" --outfile request.pem
or create a self signed certificate
certtool --generate-request --load-privkey "pkcs11:model=TPM2;object=LABEL;type=private" \
--load-pubkey "pkcs11:model=TPM2;object=LABEL;type=public" --outfile --outder LABEL.der
- If you receive your signed certificate in PEM format you need to convert it
certtool --outder -i --infile cert.pem --outfile LABEL.der
- Copy the LABEL.der file to your certificate directory
NOTE: Ensure your certificate is named correctly and contains the Label of the private key as the filename is used to find the corresponding private key.