Topic: Get endorsement key embedded into a certificate

I'm a newbie in TPM development (using wolfTPM) but I have already some tricky questions :

- is that true that each TMP has its own builtin asymmetric (endorsement) key ? (let's assume yes)
- is it a RSA or a ECC key ? (or one of each)
- is it possible to get the public part of the key ?
- is it possible to get this public key embedded in a certificate ?
  (I didn't find any function in the API to do that)
- if it is possible, which CA certificate signs it ?
- is there a certificate chain ending to the TPM's one ?
  (then what is the auto-signed certificate at the top of this chain ?)

Thanks in advance !


Re: Get endorsement key embedded into a certificate

Hi ZLam,

Thanks for your questions. Can you tell me where you are located and more about your project?

The TPM has endorsements key(s) and certificate(s) provisioned by the manufacture. See: … ished-pdf/

It varies by manufacture, but it is typically ECC and RSA. There is a place in NV to get the signed certificate elements. We support using the endorsement key for a few things in wolfTPM: … edential.c

We will soon be adding support for extracting the EK certificate(s) as well.

You can see some of the EK certificate support in the IBM TSS stack here: … /ekutils.c

David Garske, wolfSSL