How to generate DCAP server cert and key?

[DCMMC]

I'm going to deploy DCAP and there are some keys pre-generated by teaclave:

• dcap_server_key.pem
• dcap_server_cert.pem

I could obtain PCK (Provisioning Certification Key) certifcate from Intel PCS (Provisioning Certification Service). But how can I generate the DCAP server certificate and key files which signed by PCK? From documents provided by Intel, it seems that I can obtain the Attestation Key from PCE (Provisioning Certification Enclave) through CertifyKey API.

Could you please give us a simple demo how can we generate the certificate and the key? Thanks a lot.

BTW, I found that dcap_root_ca_cert.pem is a self-signed Root CA by Teaclave. So are both dcap_server_key.pem and dcap_server_cert.pem signed by this dcap_root_ca_cert.pem instead of Intel's trusted Root CA? I guess this can only be used for test purpose. And it is an invalid certificate chain anchored by Intel's Root CA as shown in the step 4 in the below figure.

[henrysun007]

As described in README.md, the DCAP service is a reference implementation of data center attestation service. It is an infrastructure for the datacenter and cloud (private or public), who I think should maintain the DCAP certificate chain. The credentials under keys/ are for demonstration and should not be used in production.