Provided by: tpm2-tools_2.1.0-1build1_amd64 bug

NAME
       tpm2_certify -  prove  that  an  object with a specific Name is loaded in the TPM. By certifying that the
       object is loaded, the TPM warrants that a public area with a given Name is self-consistent and associated
       with  a  valid  sensitive  area.  If  a  relying party has a public area that has the same Name as a Name
       certified with this command, then the values in that public area are  correct.  The  object  may  be  any
       object  that is loaded with TPM2_Load() or TPM2_CreatePrimary().  An object that only has its public area
       loaded cannot be certified.


SYNOPSIS
       tpm2_certify[        COMMON        OPTIONS        ]        [        TCTI        OPTIONS        ]        [
       --objHandle|--objContext|--keyHandle|--keyContext|--pwdo|--pwdk|--halg|--attestFile|--sigFile|--passwdInHex|
       ]

       prove that an object with a specific Name is loaded in the TPM. By certifying that the object is  loaded,
       the  TPM  warrants  that  a  public area with a given Name is self-consistent and associated with a valid
       sensitive area. If a relying party has a public area that has the same Name as a Name certified with this
       command,  then  the  values  in that public area are correct. The object may be any object that is loaded
       with TPM2_Load() or TPM2_CreatePrimary().  An object that only has  its  public  area  loaded  cannot  be
       certified.


DESCRIPTION
       tpm2_certify  prove  that  an  object  with  a specific Name is loaded in the TPM. By certifying that the
       object is loaded, the TPM warrants that a public area with a given Name is self-consistent and associated
       with  a  valid  sensitive  area.  If  a  relying party has a public area that has the same Name as a Name
       certified with this command, then the values in that public area are  correct.  The  object  may  be  any
       object  that is loaded with TPM2_Load() or TPM2_CreatePrimary().  An object that only has its public area
       loaded cannot be certified.


OPTIONS
       -H ,--objHandle
              handle of the object to be certified

       -C ,--objContext
              filename of the object context to be certified

       -k ,--keyHandle
              handle of the key used to sign the attestation  structure

       -c ,--keyContext
              filename of the key context used to sign the  attestation structure

       -P ,--pwdo
              the object handle's password, optional

       -K ,--pwdk
              the keyHandle's password, optional

       -g ,--halg
              the hash algorithm used  to  digest  the  message   0x0004  TPM_ALG_SHA1    0x000B  TPM_ALG_SHA256
              0x000C TPM_ALG_SHA384   0x000D TPM_ALG_SHA512   0x0012 TPM_ALG_SM3_256

       -a ,--attestFile
              output file name, record the attestation structure

       -s ,--sigFile
              output file name, record the signature structure

       -X ,--passwdInHex
              passwords given by any options are hex format.

       [COMMON OPTIONS ]
              This collection of options are common to many programs and provide information that many users may
              expect.

       -h, --help
              Display a manual describing the tool and its usage.

       -v, --version
              Display version information for this tool.

       -V, --verbose
              Increase the information that the tool prints to the console during its execution.

       [TCTI OPTIONS ]
              This collection of options are used to configure the varous TCTI modules available.

       -T, --tcti
              Select the TCTI used for communication with the next  component  down  the  TSS  stack.   In  most
              configurations  this will be the TPM but it could be a simulator or proxy.  Supported TCTIs are or
              “device” or “socket” .

       -d, --device-file
              Specify the TPM device file for use by the device TCTI. The default is /dev/tpm0.

       -R, --socket-address
              Specify the domain name or IP address used by the socket TCTI. The default is 127.0.0.1.

       -p, --socket-port
              Specify the port number used by the socket TCTI. The default is 2321.

       ENVIRONMENT: TCTI
              This collection of environment variables that may be used to configure  the  varous  TCTI  modules
              available.   The  values  passed  through these variables can be overridden on a per-command basis
              using the available command line options.

       TPM2TOOLS_TCTI_NAME
              Select the TCTI used for communication with the next  component  down  the  TSS  stack.   In  most
              configurations  this  will be the TPM but it could be a simulator or proxy.  See 'OPTIONS' section
              for the names of supported TCTIs.

       TPM2TOOLS_DEVICE_FILE
              Specify the TPM device file for use by the device TCTI.

       TPM2TOOLS_SOCKET_ADDRESS
              Specify the domain name or IP address used by the socket TCTI.

       TPM2TOOLS_SOCKET_PORT
              Specify the port number used by the socket TCTI.


EXAMPLES
       tpm2_certify

              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
              tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
              tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>