How to convert ek.pub for enrolling Azure IoT via TPM RRS feed

  • Question

  • I can successfully create TPM EK with tpm2_getpubek -H 0x81010000 -g 0x01 -f ek.pub

    I used command #base64 ek.pub then copy the output to enroll to Azure IoT.
    but it show the endorsement key is invalid. as following

    {"message":"BadRequest:{\r\n \"errorCode\": 400004,\r\n \"trackingId\": \"3778640d-0ac1-413f-b2de-2f4bcf937ec2\",\r\n \"message\": \"Endorsement key is invalid, or does not match the Enrollment.\",\r\n \"timestampUtc\": \"2020-03-10T15:08:16.429478Z\"\r\n}"}


    Tuesday, March 10, 2020 3:09 PM

All replies

  • Hello Randy,

    Thanks for joining MSDN and ask your question here! 

    Can you please detail better the documentation you are following?


    Wednesday, March 11, 2020 5:12 PM
  • Hello Randy,

    Please can you share with us more details of your issue so we can try to repro it?

    Thank you!

    Friday, March 13, 2020 10:14 AM
  • Thanks Freya for sharing. Also here good documentation with some illustrations to help understand the process:


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.

    Monday, March 16, 2020 9:17 AM
  • Hi Antonio,

    Sorry for the late reply,

    by the way, I didn't receiver an alarm via mail, wouldn't this system alarm? 

    I follow this doc for An Individual enrollment by TPM


    I can enroll successfully with endorsement key ID which gets by use Azure iot sdk on Raspberry Pi:https://github.com/Azure/azure-iot-sdk-c

    but now I have not enough space to install SDK. 

    so I use tpm2-tool to get ek.pub and  use base64 to convert ek.pub to enroll,

    but it shows the endorsement key is invalid.

    so how should I convert the ek.pub from TPM to enroll to Azure IoT?


    Wednesday, March 18, 2020 6:52 AM
  • Hello Randy,

    Thank you for adding more details of your current environment. I would also need the following details to help you better:

    1) Are you using TPM Simulator or Real TPM (like the Infineon OPTIGA™ TPM SLx 9670) together with your Raspberry Pi?

    2) What is the OS being used?

    See also how to "Read cryptographic keys from the TPM device" .

    Thank you!

    Friday, March 20, 2020 11:09 AM
  • Hi again,


     I didn't receiver an alarm via mail, wouldn't this system alarm? 

    It should send an email, I believe you need to validate your account first.


    Friday, March 20, 2020 12:20 PM
  • Hello Antonio,

    Here is my reply for your reference:

    1) I'm using Real TPM the Infineon SLB9670

    2) The OS is Raspbian and kernel 4.4.22+

    otherwise, the TPM ek.pub I got via Azure IoT SDK:


    and the TPM ek.pub I got by tpm2-tools:


    How to convert it to enroll Azure IoT ?

    Have a nice day!

    Monday, March 23, 2020 12:21 PM
  • Thanks for providing some more details Randy.

    When looking at the source code of Azure IOT SDK C, this is the tool responsible to create your ek.pub:


    There you can see that the module used to encode the key is Azure_Base64_Encode

    "This module is used to encode a BUFFER using the standard base64 encoding stream."

    Reference: IETF RFC 4648

    I am not familiar with how tpm2-tools encodes the key, though please can you validate that it follows the same standard (IETF RFC 4648)?

    For further troubleshooting my recommendation is that you file a new issue under azure iot sdk C and reference this MSDN thread for follow-up.

    Another interesting troubleshooting step that you can share with us, is to look at the key value when using Azure IOT SDK (reg_info.endorsement_key) before it is encoded to base64 and compare both.

    Thank you! 

    Monday, March 23, 2020 4:12 PM
  • Hi Antonio,

    The type of reg_info.endorsement_key is BUFFER_HANDLE.

    I don't know how to print out it.

    I check the base64 encoding I use is RFC 4648.


    Randy Wang

    Thursday, March 26, 2020 12:00 PM
  • Thank you Randy,

    Let me circle back with Azure IoT Team on any other steps done by the SDK besides what shared so far. If you opened an issue on the azure iot sdk github repo can you share the link?


    Monday, March 30, 2020 4:02 PM
  • Hello Randy,

    Can I kindly request that you open a new Bug Report under azure iot sdk c : https://github.com/Azure/azure-iot-sdk-c/issues/new/choose

    Adding all the details, including exact commands and function calls used to achieve the result you got? We will have a team dedicated to try and reproduce your scenario.

    Please share the link here when you do so.

    Thank you so much for your time in advance!

    Wednesday, April 8, 2020 6:35 PM
  • Hi Antonio,

    here you are.


    Thank you!!

    Randy Wang

    Friday, April 10, 2020 1:38 PM
  • Hello Randy,

    Could you please validate that your issue was resolved here: https://github.com/Azure/azure-iot-sdk-c/issues/1502 ?

    Thank you!

    Tuesday, April 28, 2020 11:51 AM