These are sample certificates from the Trusted Computing Group
Endorsement Key Credential Profile For TPM Family 2.0; Level 0.
- lib/hx509/data/tcg-ek-cp.pem (Endorsement Key certificate)
- lib/hx509/data/tcg-devid.pem (DevID certificate)
https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdfhttps://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdfhttps://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
This certificate came from the Trusted Computing Group Endorsement Key
(EK) Credential Profile [0], Appendix A, page 34.
[0] https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf
Note that hxtool at this point both certificates, including all their
extensions, HardwareModule Name SAN, certificate policies, and the new
DN attributes TPMVersion, TPMModel, and TPMManufacturer, as shown below.
The work on the ASN.1 compiler helped.
The goal of this work will be to enable a Heimdal service for device
enrolment using TPMs. More TCG profiling has to be done, and perhaps
some ECC work as well. But Heimdal will mostly just be a relying party
and CA, and will not include the client side piece of enrolment.
$ cd build/lib/hx509
$ ./hxtool print --content PEM-FILE:../../../lib/hx509/data/tcg-ek-cp.pem
cert: 0
friendly name:
private key: no
issuer: "CN=ExampleCA"
subject: ""
serial: 01
keyusage: keyEncipherment
subject name:
issuer name: CN=ExampleCA
Validity:
notBefore 2014-01-15 15:40:50
notAfter 2015-01-15 15:40:50
checking extension: authorityInfoAccess
Critical not set on MUST
type: 1.3.6.1.5.5.7.48.2
dirname: URI: http://www.example.com/ExampleCA.crt
checking extension: keyUsage
checking extension: subjectAltName
Critical set on MUST NOT
directoryName: TPMVersion=id:00010023,TPMModel=ABCDEF123456,TPMManufacturer=id:54434700
checking extension: basicConstraints
is NOT a CA
checking extension: cRLDistributionPoints
CRL Distribution Points:
Fullname:
URI: http://www.example.com/ExampleCA.crl
checking extension: certificatePolicies
Policy: 1.2.3.4
checking extension: authorityKeyIdentifier
authority key id: 347767244C44AFE79E2AE0B24C69579524B33DDA
checking extension: extKeyUsage
eku-0: 2.23.133.8.1
checking extension: subjectDirectoryAttributes
Doesn't have SubjectKeyIdentifier
$
$
$ ./hxtool print --content PEM-FILE:../../../lib/hx509/data/tcg-devid.pem
cert: 0
friendly name:
private key: no
issuer: "CN=ExampleCA"
subject: ""
serial: 01
keyusage: keyEncipherment
subject name:
issuer name: CN=ExampleCA
Validity:
notBefore 2014-01-15 15:40:50
notAfter 2015-01-15 15:40:50
checking extension: authorityInfoAccess
Critical not set on MUST
type: 1.3.6.1.5.5.7.48.2
dirname: URI: http://www.example.com/ExampleCA.crt
checking extension: keyUsage
checking extension: subjectAltName
Critical set on MUST NOT
directoryName: TPMVersion=id:00010023,TPMModel=ABCDEF123456,TPMManufacturer=id:54434700
otherName: 1.3.6.1.5.5.7.8.4 HardwareModuleName 2.23.133.1.2:tpmserialnumber
checking extension: basicConstraints
is NOT a CA
checking extension: cRLDistributionPoints
CRL Distribution Points:
Fullname:
URI: http://www.example.com/ExampleCA.crl
checking extension: certificatePolicies
Policy: 1.2.3.4
checking extension: authorityKeyIdentifier
authority key id: 347767244C44AFE79E2AE0B24C69579524B33DDA
checking extension: extKeyUsage
eku-0: 2.23.133.8.1
checking extension: subjectDirectoryAttributes
Doesn't have SubjectKeyIdentifier
$
Modern OpenSSL no longer has the 2038 year restriction. Update the
certs to last 500 years rather than 10 years.
Modern crypto requirements suggest a stronger key strength than 1024.
Update to use a minimum of 4096.
Fix executable bit on gen-req.sh
OpenSSL 1.1 has the pkInitKDC OID built in, which breaks as it was redefined by
openssl.cnf in Heimdal. Try to determine if OpenSSL >= 1.1 and if so, use a
configuration file that omits this OID definition. The implementation is not
robust but as this is simply an example (not run by the test suites), it should
be adequete.
