% tpm2_certify(1) tpm2-tools | General Commands Manual

NAME

tpm2_certify(1) - Prove that an object is loaded in the TPM.

SYNOPSIS

tpm2_certify [OPTIONS]

DESCRIPTION

tpm2_certify(1) - Proves that an object with a specific NAME is loaded in the TPM. By certifying that the object is loaded, the TPM warrants that a public area with a given NAME is self-consistent and associated with a valid sensitive area.

If a relying party has a public area that has the same NAME as a NAME certified with this command, then the values in that public area are correct. An object that only has its public area loaded cannot be certified.

OPTIONS

These options control the certification:

  • -c, --certifiedkey-context=OBJECT:

    The object to be certified.

  • -C, --signingkey-context=OBJECT:

    The key used to sign the attestation structure.

  • -P, --certifiedkey-auth=AUTH:

    The authorization value provided for the object specified with -c.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm to use in signature generation.

  • --scheme=ALGORITHM:

    The signing scheme used to sign the message. Optional. Signing schemes should follow the "formatting standards", see section "Algorithm Specifiers". Also, see section "Supported Signing Schemes" for a list of supported signature schemes. If specified, the signature scheme must match the key type. If left unspecified, a default signature scheme for the key type will be used.

  • -p, --signingkey-auth=AUTH:

    The authorization value for the signing key specified with -C.

  • -o, --attestation=FILE:

    Output file name for the attestation data.

  • -s, --signature=FILE:

    Output file name for the signature data.

  • -f, --format=FORMAT:

    Format selection for the signature output file.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash, unless rphash is also required.

  • --rphash=FILE

    File path to record the hash of the response parameters. This is commonly termed as rpHash.

  • -S, --session=FILE:

    The session created using tpm2_startauthsession. This can be used to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

References

context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Create a primary key and certify it with a signing key.

tpm2_createprimary -Q -C e -g sha256 -G rsa -c primary.ctx

tpm2_create -Q -g sha256 -G rsa -u certify.pub -r certify.priv -C primary.ctx

tpm2_load -Q -C primary.ctx -u certify.pub -r certify.priv -n certify.name \
-c certify.ctx

tpm2_certify -Q -c primary.ctx -C certify.ctx -g sha256 -o attest.out -s sig.out

returns

footer