Provided by: swtpm-tools_0.6.3-0ubuntu4_amd64 bug


       swtpm-localca  - Local CA to create EK and platform certs for swtpm


       swtpm-localca [OPTIONS]


       swtpm-localca is a tool to create TPM Endorsement Key (EK) and platform certificates on
       the host. It uses the swtpm_cert program to create the certificates.

       The program will typically be invoked by the swtpm_setup program that uses the
       /etc/swtpm_setup.conf configuration file where a variable needs to be set that points to
       this program.  It implements command line options that the swtpm_setup program uses to
       provide the necessary parameters to it.

       swtpm-localca will automatically try to create the signing key and certificate if the
       configuration points to a missing signing key.  Since this certificate must be signed by a
       CA, a root certificate authority will also be created and will sign this certificate. The
       root CA's private key and certificate will be located in the same directory as the signing
       key and have the names swtpm-localca-rootca-privkey.pem and swtpm-localca-rootca-cert.pem
       respectively. The environment variable SWTPM_ROOTCA_PASSWORD can be set for the password
       of the root CA's private key.

       The following options are supported:

       --type type
           This parameter indicates the type of certificate to create. The type parameter may be
           one of the following: ek, or platform

       --dir dir
           This parameter indicates the directory into which the certificate is to be stored.
           The EK certificate is stored in this directory under the name ek.cert and the platform
           certificate under the name platform.cert.

       --ek ek
           This parameter indicates the modulus of the public key of the endorsement key (EK).
           The public key is provided as a sequence of ASCII hex digits.

           In case ECC (elliptic curve crypography) keys are used, the parameter must have the
           format --ek x=<hex digits>,y=<hex digits>,id=<curve id>. The id=<curve id> part is
           optional and only necessary for ECC curves other than secp256r1.

       --vmid ID
           This parameter indicates the ID of the VM for which to create the certificate.

       --logfile <logfile>
           The log file to log output to; by default logging goes to stdout and stderr on the

       --configfile <configuration file>
           The configuration file to use. If omitted, the default configuration file
           /etc/swtpm-localca.conf will be used.

       --optsfile <options file>
           The options file to use. If omitted, the default options file
           /etc/swtpm-localca.options will be used.

       --tpm-spec-family, --tpm-spec-revision, --tpm-spec-level
           TPM specification parameters that describe the specification that was followed for the
           TPM implementation. The parameters will be passed to swtpm_cert for the creation of
           the EK certificate.

           Create TPM 2 compliant certificates.

           Create an EK that can also be used for signing. Without this option, the EK can only
           be used for key encipherment. This option requires --tpm2.

           If --allow-signing is passed and the EK should also be useable for key encipherment,
           this option must be passed. Otherwise key encipherment is the default. This option
           requires --tpm2.


       swtpm-localca.conf, swtpm-localca.options, swtpm_setup, swtpm_setup.conf


       Report bugs to Stefan Berger <>