tpm2_certifyX509certutil(1) General Commands Manual tpm2_certifyX509certutil(1)

tpm2_certifyX509certutil(1) - Generate partial X509 certificate.

tpm2_certifyX509certutil [OPTIONS]

tpm2_certifyX509certutil(1) - Generates a partial certificate that is suitable as the third input parameter for TPM2_certifyX509 command. The certificate data is written into a file in DER format and can be examined using openssl asn1parse tool as follows:

openssl asn1parse -in partial_cert.der -inform DER

These are the available options:

-o, --outcert=STRING: The output file where the certificate will be written to. The default is partial_cert.der Optional parameter.
-d, --days=NUMBER: The number of days the certificate will be valid starting from today. The default is 3560 (10 years) Optional parameter.
-i, --issuer=STRING: The ISSUER entry for the cert in the following format: –issuer=“C=US;O=org;OU=Org unit;CN=cname” Supported fields are:
C - “Country”, max size = 2
O - “Org”, max size = 8
OU - “Org Unit”, max size = 8
CN - “Common Name”, max size = 8 The files need to be separated with semicolon. At list one supported field is required for the option to be valid. Optional parameter.
-s, --subject=STRING: The SUBJECT for the cert in the following format: –subject=“C=US;O=org;OU=Org unit;CN=cname” Supported fields are:
C - “Country”, max size = 2
O - “Org”, max size = 8
OU - “Org Unit”, max size = 8
CN - “Common Name”, max size = 8 The files need to be separated with semicolon. At list one supported field is required for the option to be valid. Optional parameter.
ARGUMENT No arguments required.

This collection of options are common to many programs and provide information that many users may expect.

-h, --help=[man|no-man]: Display the tools manpage. By default, it attempts to invoke the manpager for the tool, however, on failure will output a short tool summary. This is the same behavior if the “man” option argument is specified, however if explicit “man” is requested, the tool will provide errors from man on stderr. If the “no-man” option if specified, or the manpager fails, the short options will be output to stdout.

To successfully use the manpages feature requires the manpages to be installed or on MANPATH, See man(1) for more details.

-v, --version: Display version information for this tool, supported tctis and exit.
-V, --verbose: Increase the information that the tool prints to the console during its execution. When using this option the file and line number are printed.
-Q, --quiet: Silence normal tool output to stdout.
-Z, --enable-errata: Enable the application of errata fixups. Useful if an errata fixup needs to be applied to commands sent to the TPM. Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
-R, --autoflush: Enable autoflush for transient objects created by the command. If a parent object is loaded from a context file also the transient parent object will be flushed. Autoflush can also be activated if the environment variable TPM2TOOLS_AUTOFLUSH is is set to yes or true. information many users may expect.

tpm2 certifyX509certutil -o partial_cert.der -d 356

Tools can return any of the following codes:

0 - Success.
1 - General non-specific error.
2 - Options handling error.
3 - Authentication error.
4 - TCTI related error.
5 - Non supported scheme. Applicable to tpm2_testparams.

Github Issues

See the Mailing List

tpm2-tools