How to Validate the Platform Certificate

These steps validate that the platform certificate stored in the device's TPM NVRAM was generated by ZPE Systems.

# Get platform certificate from device's TPM
curl -s -X GET \
  https://nodegrid/api/v1/security/certificates/Platform-Certificate \
  --insecure \
  -H 'Content-Type: application/json' \
  -H 'accept: application/json' \
  -H "ticket: $ticket" | \
  jq -r .certificate | \
  tr -d '\r' | \
  sed '/^[[:space:]]*$/d' > device-platform-certificate.crt

# Verify which subordinated CA signed the device platform certificate
# This device CA was signed by 'ZPE Systems Manufacturing CA 1'
openssl x509 -issuer -noout -in device-platform-certificate.crt
#issuer=O = ZPE Systems, CN = ZPE Systems Manufacturing CA 1

# Download subordinated certificate from device
scp admin@nodegrid:/usr/share/ca-certificates/platform-certificate/zpe_systems_manufacturing_ca_1.crt .

# Verify that crt is unadulterated
md5sum zpe_systems_manufacturing_ca_1.crt
#f62cd72093eff2405761df7f66f6aaad  ./zpe_systems_manufacturing_ca_1.crt

# Verify which root CA signed subordinated CA
# This subordinated was signed by 'ZPE Systems Root CA 1'
openssl x509 -issuer -noout -in zpe_systems_manufacturing_ca_1.crt
#issuer=O = ZPE Systems, CN = ZPE Systems Root CA 1

# Download root certificate from device
scp admin@nodegrid:/usr/share/ca-certificates/platform-certificate/zpe_systems_root_ca_1.crt .

# Verify that root CA crt is unadulterated
md5sum zpe_systems_root_ca_1.crt
#bb48016879300c1ab97aa847f80d342e  ./zpe_systems_root_ca_1.crt

# All required certificates are now available
ls -1
#device-platform-certificate.crt
#zpe_systems_manufacturing_ca_1.crt
#zpe_systems_root_ca_1.crt

# create CA chain
cat "zpe_systems_root_ca_1.crt" > ca_chain.pem
cat "zpe_systems_manufacturing_ca_1.crt" >> ca_chain.pem

# Validate platform certificate with openssl
openssl verify --verbose -CAfile ca_chain.pem device-platform-certificate.crt
#device-platform-certificate.pem: OK