One last attempt...wondering if AK needs to be loaded in this case
Thread 1 in client .. creates EK and AK and sends to server
Server creates credential externally sends secret and credential blob
Thread 2 in client - Calls ActivateCredential (it has access to the global ESYS_CONTEXT structures, ak_handles and ek_handles that thread 1 created)

Question: Are AK keys still present in the TPM? Will the ESAPI structures still work even after few seconds or are they flushed?
I'm trying to understand why if I run all these methods in a single thread, it works!


On Fri, Mar 13, 2020 at 10:22 AM Rahul Hardikar <> wrote:
Any idea folks?

On Thu, Mar 12, 2020 at 5:52 PM Rahul Hardikar <> wrote:
I noticed the same changes when its run as a single process, the remote attestation method works, the moment i move the make external credential part to the server I hit this issue.
Wondering what could go wrong? Do the AK keys get flushed out? 
On the client side, I have the EKCERT and EK and AK keys loaded in the tpm2, I save the handle of EK and AK for future use when I receive the credential blob and secret, so basically i fork out a thread to send the data (and create EK/AK) and then fork another thread to handle the receive part, but EK/AK handles are global and saved and no other process touches the TPM!

Why would I get 0x2c4 in Esys_ActivateCredential ()  but works perfectly fine when everything is run as one thread?


On Tue, Mar 10, 2020 at 4:22 PM Rahul Hardikar <> wrote:
Thanks Bill.
Wondering why this would fail. The external make credential API,  I have taken from tss2 GitHub only why would secret fail? When I ran all of this locally it worked, the moment I moved the make external credential to the server Im hitting this?
Can it be because of OpenSSL 1.1.0 required in tss2 and 1.0.2 version running on my server?

On Tue, Mar 10, 2020 at 3:36 PM Roberts, William C <> wrote:
The error codes encode a bunch of values, so you won't see that value via a straight grep.

But you can use tpm2_rc_decode from the tpm2-tools project, like so:
$ tpm2_rc_decode 0x2c4
tpm:parameter(2):value is out of range or is not correct for the contex

See the tools project:

Note that the commands specification will show you what parameter 2 is:

Everything after the triple line starts the parameters starting at index 1.
So in this case the secret parameter is wrong.

Note that since TSS version 2.3.0 a software library was also added
for converting these return codes to more human understandable strings,
The header file is here:

and then you just link against lib tss2-rc, just in case you needed this built into
your program.


> -----Original Message-----
> From: Rahul Hardikar []
> Sent: Tuesday, March 10, 2020 5:02 PM
> To:
> Subject: [tpm2] ESys_ActivateCredential
> Hi All,
> What does it mean when Esys_ActivateCredential returns 0x2c4? I don't see this
> error defined anywhere.
> Thanks,
> Rahul