Provided by: tpm2-tools_2.1.0-1build1_amd64 bug

NAME
       tpm2_certify -  prove  that  an  object  with  a  specific  Name  is loaded in the TPM. By
       certifying that the object is loaded, the TPM warrants that a public  area  with  a  given
       Name is self-consistent and associated with a valid sensitive area. If a relying party has
       a public area that has the same Name as a Name  certified  with  this  command,  then  the
       values  in  that public area are correct. The object may be any object that is loaded with
       TPM2_Load() or TPM2_CreatePrimary().  An object that  only  has  its  public  area  loaded
       cannot be certified.


SYNOPSIS
       tpm2_certify[       COMMON      OPTIONS      ]      [      TCTI      OPTIONS      ]      [
       --objHandle|--objContext|--keyHandle|--keyContext|--pwdo|--pwdk|--halg|--attestFile|--sigFile|--passwdInHex|
       ]

       prove  that  an  object  with a specific Name is loaded in the TPM. By certifying that the
       object is loaded, the TPM warrants that a public area with a given Name is self-consistent
       and  associated with a valid sensitive area. If a relying party has a public area that has
       the same Name as a Name certified with this command, then the values in that  public  area
       are   correct.  The  object  may  be  any  object  that  is  loaded  with  TPM2_Load()  or
       TPM2_CreatePrimary().  An object that only has its public area loaded cannot be certified.


DESCRIPTION
       tpm2_certify prove that an object with a specific Name is loaded in the TPM. By certifying
       that  the object is loaded, the TPM warrants that a public area with a given Name is self-
       consistent and associated with a valid sensitive area. If a relying  party  has  a  public
       area that has the same Name as a Name certified with this command, then the values in that
       public area are correct. The object may be any object that is loaded with  TPM2_Load()  or
       TPM2_CreatePrimary().  An object that only has its public area loaded cannot be certified.


OPTIONS
       -H ,--objHandle
              handle of the object to be certified

       -C ,--objContext
              filename of the object context to be certified

       -k ,--keyHandle
              handle of the key used to sign the attestation  structure

       -c ,--keyContext
              filename of the key context used to sign the  attestation structure

       -P ,--pwdo
              the object handle's password, optional

       -K ,--pwdk
              the keyHandle's password, optional

       -g ,--halg
              the  hash  algorithm  used  to  digest  the  message   0x0004 TPM_ALG_SHA1   0x000B
              TPM_ALG_SHA256     0x000C   TPM_ALG_SHA384     0x000D    TPM_ALG_SHA512      0x0012
              TPM_ALG_SM3_256

       -a ,--attestFile
              output file name, record the attestation structure

       -s ,--sigFile
              output file name, record the signature structure

       -X ,--passwdInHex
              passwords given by any options are hex format.

       [COMMON OPTIONS ]
              This collection of options are common to many programs and provide information that
              many users may expect.

       -h, --help
              Display a manual describing the tool and its usage.

       -v, --version
              Display version information for this tool.

       -V, --verbose
              Increase the information that the tool prints to the console during its execution.

       [TCTI OPTIONS ]
              This collection of options are used to configure the varous TCTI modules available.

       -T, --tcti
              Select the TCTI used for communication with the next component down the TSS  stack.
              In  most  configurations this will be the TPM but it could be a simulator or proxy.
              Supported TCTIs are or “device” or “socket” .

       -d, --device-file
              Specify the TPM device file for use by the device TCTI. The default is /dev/tpm0.

       -R, --socket-address
              Specify the domain name or IP address used by  the  socket  TCTI.  The  default  is
              127.0.0.1.

       -p, --socket-port
              Specify the port number used by the socket TCTI. The default is 2321.

       ENVIRONMENT: TCTI
              This  collection  of environment variables that may be used to configure the varous
              TCTI  modules  available.   The  values  passed  through  these  variables  can  be
              overridden on a per-command basis using the available command line options.

       TPM2TOOLS_TCTI_NAME
              Select  the TCTI used for communication with the next component down the TSS stack.
              In most configurations this will be the TPM but it could be a simulator  or  proxy.
              See 'OPTIONS' section for the names of supported TCTIs.

       TPM2TOOLS_DEVICE_FILE
              Specify the TPM device file for use by the device TCTI.

       TPM2TOOLS_SOCKET_ADDRESS
              Specify the domain name or IP address used by the socket TCTI.

       TPM2TOOLS_SOCKET_PORT
              Specify the port number used by the socket TCTI.


EXAMPLES
       tpm2_certify

              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
              tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>