A method and system for ensuring security-compliant creation and
certificate generation for endorsement keys of manufactured TPMs. The
endorsement keys are generated by the TPM manufacturer and stored within
the TPM. The TPM manufacturer also creates a signing key pair and
associated signing key certificate. The signing key pair is also stored
within the TPM, while the certificate is provided to the OEM's credential
server. During the endorsement key (EK) credential process, the TPM
generates a signed endorsement key, which comprises the public
endorsement key signed with the public signing key. The credential server
matches the public signing key of the endorsement key with a public
signing key within the received certificate. The EK certificate is
generated and inserted into the TPM only when a match is confirmed.