% tpm2_certify(1) tpm2-tools | General Commands Manual


tpm2_certify(1) - Prove that an object is loaded in the TPM.


tpm2_certify [OPTIONS]


tpm2_certify(1) - Proves that an object with a specific NAME is loaded in the TPM. By certifying that the object is loaded, the TPM warrants that a public area with a given NAME is self-consistent and associated with a valid sensitive area.

If a relying party has a public area that has the same NAME as a NAME certified with this command, then the values in that public area are correct. An object that only has its public area loaded cannot be certified.


These options control the certification:

  • -c, --certifiedkey-context=OBJECT:

    The object to be certified.

  • -C, --signingkey-context=OBJECT:

    The key used to sign the attestation structure.

  • -P, --certifiedkey-auth=AUTH:

    The authorization value provided for the object specified with -c.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm to use in signature generation.

  • --scheme=ALGORITHM:

    The signing scheme used to sign the message. Optional. Signing schemes should follow the "formatting standards", see section "Algorithm Specifiers". Also, see section "Supported Signing Schemes" for a list of supported signature schemes. If specified, the signature scheme must match the key type. If left unspecified, a default signature scheme for the key type will be used.

  • -p, --signingkey-auth=AUTH:

    The authorization value for the signing key specified with -C.

  • -o, --attestation=FILE:

    Output file name for the attestation data.

  • -s, --signature=FILE:

    Output file name for the signature data.

  • -f, --format=FORMAT:

    Format selection for the signature output file.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash, unless rphash is also required.

  • --rphash=FILE

    File path to record the hash of the response parameters. This is commonly termed as rpHash.

  • -S, --session=FILE:

    The session created using tpm2_startauthsession. This can be used to specify an auxiliary session for auditing and or encryption/decryption of the parameters.


context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

signature format specifiers option used to configure signature FORMAT.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.


Create a primary key and certify it with a signing key.

tpm2_createprimary -Q -C e -g sha256 -G rsa -c primary.ctx

tpm2_create -Q -g sha256 -G rsa -u certify.pub -r certify.priv -C primary.ctx

tpm2_load -Q -C primary.ctx -u certify.pub -r certify.priv -n certify.name \
-c certify.ctx

tpm2_certify -Q -c primary.ctx -C certify.ctx -g sha256 -o attest.out -s sig.out