Validating the X.509 Certificate

This section provides information on how to validate the platform certificate. Before the validation ensure that the following requirements are met:

• The commands on this guide are to be executed on a trusted Linux system that has these commands available:tpm2_makecredential, curl, jq, scp

• It assumes "nodegrid" is the hostname of the device to be attested, for example defined in /etc/hosts. "nodegrid" can be changed to the device's IP instead.

• An active Nodegrid API ticket is stored in the variable $ticket . This command can be used to get a ticket:
  

  # Create a Nodegrid API ticket, assuming the password is in variable $NG_ADMIN_PASSWORD
  ticket=$(\
    curl -s -X POST \
    https://nodegrid/api/v1/Session \
    --insecure \
    -H 'Content-Type: application/json' \
    -H 'accept: application/json' \
    -d '{"username": "admin", "password": "'"$NG_ADMIN_PASSWORD"'"}' | \
    jq -r .session \
  )

See the following sections for information about certificate validations:

• Validate the Platform Certificate

• Validate Endorsement Key Certificate

• Validate Attestation Key name in the Platform Certificate

• Validate that TPM can use the private part of the Attestation Key to sign