3.2.2.6.2.1.2.5.1 Processing Rules for Key Attestation Based on Certificates

The CA MUST follow the processing rules for key attestation as outlined in section 3.2.2.6.2.1.2.5 and below in order to perform key attestation based on trusted certificates (EKCerts or AIKCerts).

  1. The CA SHOULD verify that there are a maximum of 4 trust module certificates in the Request.

  2. The CA MUST check that any one of the certificates in the request meets the following criteria:

    • It is a valid certificate according to [RFC5280].

    • Its public key matches the trust module public key in the request.

    • It chains up to a trusted root [RFC5280] in the Endorsement Root store using the Endorsement CA store for intermediate CA certificates.

    • If revocation information is available in the certificate, it must be validated for revocation.

    • If the request contains the szOID_ENROLL_AIK_INFO attribute, the CA MUST also verify the following on the certificate:

      • It contains the szOID_KP_TPM_AIK_CERTIFICATE (2.23.133.8.3) EKU OID.

      • Its certificate chain is valid for the szOID_KP_TPM_AIK_CERTIFICATE EKU OID.

  3. If successful, the CA MUST store the SHA2 hash of the valid trust module certificate as a hexadecimal string with no spaces in the EndorsementCertificateHash column of the Request table ([MS-CSRA] section 3.1.1.1.2), and the CA MUST set the CR_FLG_TRUSTEKCERT flag in the Request_Request_Flags column to indicate that key attestation succeeded while processing a trusted certificate.