swtpm-localca.conf - Man Page

Configuration file for swtpm-localca

Description

The file /etc/swtpm-localca.conf contains configuration variables for the swtpm-localca program.

The following configuration variables must be set:

statedir

The name of a directory where to store data into. A lock will be created in this directory.

signinkey

The file containing the key used for signing the certificates. Provide a key in PEM format. In case a PKCS11 URI is used all semicolons ';' have to be escaped and written as '\;'.

signingkey_password

The password to use for the signing key.

issuercert

The file containing the certificate for this CA. Provide a certificate in PEM format.

certserial

The name of file containing the serial number for the next certificate.

TSS_TCSD_HOSTNAME

This variable can be set to the host where tcsd is running on in case the signing key is a GnuTLS TPM 1.2 key. By default localhost will be used.

TSS_TCSD_PORT

This variable can be set to the port on which  tcsd is listening for connections. By default port 30003 will be used.

Example

An example swtpm-localca.conf file may look as follows:

 statedir = /var/lib/swtpm_localca
 signingkey = /var/lib/swtpm_localca/signkey.pem
 issuercert = /var/lib/swtpm_localca/issuercert.pem
 certserial = /var/lib/swtpm_localca/certserial

With a PKCS11 URI it may look like this:

 statedir = /var/lib/swtpm-localca
 signingkey = pkcs11:model=SoftHSM%20v2\;manufacturer=SoftHSM%20project\;serial=891b99c169e41301\;token=mylabel\;id=%00\;object=mykey\;type=public
 issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
 certserial = /var/lib/swtpm-localca/certserial
 SWTPM_PKCS11_PIN = 1234

See Also

swtpm-localca

Reporting Bugs

Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com>

Info

2017-11-13 swtpm