How to validate Endorsement Key certificate
- 13 Dec 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
How to validate Endorsement Key certificate
- Updated on 13 Dec 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
These steps validate that the TPM’s EK certificate is valid according to the TPM vendor, and extract the EK public key to later verify the Platform Certificate.
# Get Endorsement Key (EK) RSA certificate from the device
curl -s -X GET \
https://nodegrid/api/v1/security/certificates/TPM-EK-Certificate \
--insecure \
-H 'Content-Type: application/json' \
-H 'accept: application/json' \
-H "ticket: $ticket" | \
jq -r .certificate | \
tr -d '\r' | \
sed '/^[[:space:]]*$/d' > ek.crt
# Verify which subordinate CA signed the EK certificate
# It was signed by 'Infineon OPTIGA(TM) RSA Manufacturing CA 042'
openssl x509 -issuer -noout -in ek.crt
#issuer=C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM), CN = Infineon OPTIGA(TM) TPM 2.0 RSA CA 042
# Check URLs to download crt and crl from TPM manufacturer
openssl x509 -noout -text -in ek.crt | grep URI
# CA Issuers - URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt
# URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crl
# Download subordinated certificate and CRL from EK vendor website
# The link is present in the ek.crt file
# Note: your URL may be different from this example
curl http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt -o ek-subordinate.crt
curl http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crl -o ek-subordinate.crl
# Optiga subordinate certificate and CRL are encoded in DER format
# Let's convert it to PEM encoding
openssl x509 -inform der -in ek-subordinate.crt -out ek-subordinate.pem
openssl crl -inform der -in ek-subordinate.crl -out ek-subordinate-crl.pem
# Verify which root CA signed the EK certificate
# It was signed by 'Infineon OPTIGA(TM) RSA Root CA'
openssl x509 -issuer -noout -in ek-subordinate.pem
#issuer=C = DE, O = Infineon Technologies AG, OU = OPTIGA(TM) Devices, CN = Infineon OPTIGA(TM) RSA Root CA
# Check URLs to download root CA crt and crl from TPM manufacturer
openssl x509 -noout -text -in ek-subordinate.pem | grep URI
# CA Issuers - URI:http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crt
# URI:http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crl
# Download root certificate and CRL from EK vendor website
curl http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crt -o ek-root.crt
curl http://pki.infineon.com/OptigaRsaRootCA/OptigaRsaRootCA.crl -o ek-root.crl
# Optiga root certificate and CRL are encoded in DER format
# Let's convert it to PEM encoding
openssl x509 -inform der -in ek-root.crt -out ek-root.pem
openssl crl -inform der -in ek-root.crl -out ek-root-crl.pem
# create CA chain
cat ek-subordinate.pem > ek-ca-chain.pem
cat ek-root.pem >> ek-ca-chain.pem
# create CRL chain
cat ek-subordinate-crl.pem > ek-crl-chain.pem
cat ek-root-crl.pem >> ek-crl-chain.pem
# Validate EK certificate chain with openssl
openssl verify --verbose -CAfile ek-ca-chain.pem -crl_check_all -CRLfile ek-crl-chain.pem ek.crt
#ek.crt: OKWas this article helpful?