Summary
Creates an HP Secure Platform Management payload to provision a Key Endorsement key
Syntax
New-HPSecurePlatformEndorsementKeyProvisioningPayload [-EndorsementKeyFile] <FileInfo> [[-EndorsementKeyPassword] <String>] [[-BIOSPassword] <String>] [[-OutputFile] <FileInfo>] [<CommonParameters>]
New-HPSecurePlatformEndorsementKeyProvisioningPayload [-EndorsementKeyCertificate] <X509Certificate2> [[-BIOSPassword] <String>] [[-OutputFile] <FileInfo>] [<CommonParameters>]
New-HPSecurePlatformEndorsementKeyProvisioningPayload [[-BIOSPassword] <String>] [-RemoteEndorsementKeyID] <String> [-RemoteSigningServiceURL] <String> [[-CacheAccessToken]] [<CommonParameters>]
Description
This command creates an HP Secure Platform Management payload to provision a Key Endorsement key. The purpose of the endorsement key is to protect the signing key against unauthorized changes. Only holders of the key endorsement private key may change the signing key.
There are three endorsement options to choose from: - Endorsement Key File (and Password) using -EndorsementKeyFile and -EndorsementKeyPassword parameters - Endorsement Key Certificate using -EndorsementKeyCertificate parameter - Remote Endorsement using -RemoteEndorsementKeyID and -RemoteSigningServiceURL parameters
Please note that using a Key File with Password in PFX format is recommended over using an X509 Certificate object because a private key in a certificate is not password protected.
This command writes the created payload to the pipeline or to the file specified in the OutputFile parameter. This payload can then be passed to the Set-HPSecurePlatformPayload command.
Security note: Payloads should only be created on secure servers. Once created, the payload may be transferred to a client and applied via the Set-HPSecurePlatformPayload command. Creating the payload and passing it to the Set-HPSecurePlatformPayload command via the pipeline is not a recommended production pattern.
Parameters
| Name | Argument | Description |
|---|---|---|
| EndorsementKeyFile | <FileInfo> | Specifies the Key Endorsement key certificate as a PFX (PKCS #12) file |
| EndorsementKeyPassword | <String> | Specifies the password for the Endorsement Key PFX file. If no password was used when the PFX was created (not recommended), this parameter may be omitted. |
| EndorsementKeyCertificate | <X509Certificate2> | Specifies the endorsement key certificate as an X509Certificate object |
| BIOSPassword | <String> | Specifies the BIOS setup password, if any. Note that the password will be in the clear in the generated payload. |
| OutputFile | <FileInfo> | Specifies the file to write output to instead of writing the output to the pipeline |
| RemoteEndorsementKeyID | <String> | Specifies the Endorsement Key ID to be used |
| RemoteSigningServiceURL | <String> | Specifies the Key Management Services (KMS) server URL (I.e.: https:// |
| CacheAccessToken | If specified, the access token is cached in msalcache.dat file and user credentials will not be asked again until the credentials expire. This parameter should be specified for caching the access token when performing multiple operations on the KMS server. If access token is not cached, the user must re-enter credentials on each call of this command. |
Notes
The Key Endorsement private key must never leave a secure server. The payload must be created on a secure server, then may be transferred to a client.
- Requires HP BIOS with Secure Platform Management support.
Examples
PS C:\> $payload = New-HPSecurePlatformEndorsementKeyProvisioningPayload -EndorsementKeyFile "$path\endorsement_key.pfx"
PS C:\> ...
PS C:\> $payload | Set-HPSecurePlatformPayload