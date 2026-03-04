TPM Certificates
The switch tray comes pre-provisioned by Nvidia with the IAK – Initial Attestation Key. This key’s private key lies in the TPM and is used for signing remote attestation quotes.
The certificate format of the IAK is compliant with the TCG TPM2.0 Keys for Device Identity and Attestation.
Key terminology:
Key
Description
Certified by
Remarks
L1
Nvidia Identity Root CA
Itself, Root
A common root-CA stored and managed by the ISS ORCA service.
L2
TPM Identity ICA
L1
Stored in ISS DLM within the NV HQ.
L3
Provisioning facility ICA
L2
Provisioning entity that directly certifies and provisions the device identity certificates. Multiple instances exist for each manufacturing facility.
L4-IAK
Initial Attestation Key
L3
Derived from the Endorsement Hierarchy. Used to sign attestation quotes.
EK
Endorsement Key
TPM Manufacturer
Derived from the Endorsement Hierarchy can only decrypt. Used to prove TPM ownership.