I want to design a system where, from the client side, when I send the EK certificate to the server, the EK public key, which is already on the server side, can be used to verify the integrity of the certificate to confirm it originates from the same TPM.
for that, I need to generate an Endorsement Key (EK) using TPM 2.0, and then obtain an EK certificate from the TPM manufacturer.
I have created the ek public using
sudo tpm2_createek -G rsa -u ek.pub -c 0x81010001
How can I obtain the EK certificate from TPM?
update:
systemctl start tpm-server.service
udo systemctl start tpm2-abrmd.service
sudo tpm2_createek -G rsa -u ek.pub -c key.ctx
tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://tpm.manufacturer.com/ekcertserver/
got this error:
saman@dell-5590:~$ sudo tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://tpm.manufacturer.com/ekcertserver/
WARN: TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!
ERROR: curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK
ERROR: Unable to run tpm2_getekcertificate
There is a dedicated tool
tpm2_getekcertificateprovided by tpm2-tools.See this example from the man pages:
Under the hood, the tool reads the RSA EK certificate from TPM nonvolatile memory (NVRAM). The RSA EK certificate specifically is stored at NV index
0x01c00002, as specified in the TCG EK Credential Profile.