These steps validate that the platform certificate stored in the device's TPM NVRAM was generated by ZPE Systems.
# Get platform certificate from device's TPM
curl -s -X GET \
https://nodegrid/api/v1/security/certificates/Platform-Certificate \
--insecure \
-H 'Content-Type: application/json' \
-H 'accept: application/json' \
-H "ticket: $ticket" | \
jq -r .certificate | \
tr -d '\r' | \
sed '/^[[:space:]]*$/d' > device-platform-certificate.crt
# Verify which subordinated CA signed the device platform certificate
# This device CA was signed by 'ZPE Systems Manufacturing CA 1'
openssl x509 -issuer -noout -in device-platform-certificate.crt
#issuer=O = ZPE Systems, CN = ZPE Systems Manufacturing CA 1
# Download subordinated certificate from device
scp admin@nodegrid:/usr/share/ca-certificates/platform-certificate/zpe_systems_manufacturing_ca_1.crt .
# Verify that crt is unadulterated
md5sum zpe_systems_manufacturing_ca_1.crt
#f62cd72093eff2405761df7f66f6aaad ./zpe_systems_manufacturing_ca_1.crt
# Verify which root CA signed subordinated CA
# This subordinated was signed by 'ZPE Systems Root CA 1'
openssl x509 -issuer -noout -in zpe_systems_manufacturing_ca_1.crt
#issuer=O = ZPE Systems, CN = ZPE Systems Root CA 1
# Download root certificate from device
scp admin@nodegrid:/usr/share/ca-certificates/platform-certificate/zpe_systems_root_ca_1.crt .
# Verify that root CA crt is unadulterated
md5sum zpe_systems_root_ca_1.crt
#bb48016879300c1ab97aa847f80d342e ./zpe_systems_root_ca_1.crt
# All required certificates are now available
ls -1
#device-platform-certificate.crt
#zpe_systems_manufacturing_ca_1.crt
#zpe_systems_root_ca_1.crt
# create CA chain
cat "zpe_systems_root_ca_1.crt" > ca_chain.pem
cat "zpe_systems_manufacturing_ca_1.crt" >> ca_chain.pem
# Validate platform certificate with openssl
openssl verify --verbose -CAfile ca_chain.pem device-platform-certificate.crt
#device-platform-certificate.pem: OK