About tpm2_getekcertificate, I executed it agains https://ekop.intel.com/ekcert (hope it is the correct one):

tpm2_createek -G rsa -u ek.pub -c key.ctx
tpm2_getekcertificate -X -o ECcert.bin -u ek.pub https://ekop.intel.com/ekcert

Output:

WARN: TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!
ERROR: Cannot proceed. For further information please refer to: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html. Recovery tools are located here:https://github.com/intel/INTEL-SA-00086-Linux-Recovery-Tools
ERROR: Unable to run tpm2_getekcertificate

Is that expected?