3.1.1.4.3.4.1 EK Attestation (Authority and Subject)
The client MUST locally generate a symmetric key and MUST use it to encrypt the Client_HardwareKeyInfo ADM element in the request. The client MUST then encrypt the symmetric key by using the public key from the retrieved CA exchange certificate. The encrypted symmetric key MUST then be included in a certificate request, as specified in section 3.1.1.4.3.4.