Hi, I create an EK and AK using tpm2_createek, tpm2_createak and tpm2_evictcontrol to persist the AK in 0x81010002. The I use the following command with DigiCert's CMPv2 server: openssl cmp -config /opt/sdk/openssl/current/ssl/openssl.cnf -provider tpm2 -provider default -propquery ?provider=tpm2,tpm2.digest!=yes -cmd ir -server https://demo.one.digicert.com/iot/api/v1/cmp/IOT_1234 -ref 1234 -secret pass:1234 -recipient "/CN=mode51.software" -key handle:0x81010002 -subject "/CN=TestTest" -cacertsout ./capubs.pem -certout ./cl_cert.pem -tls_used -verbosity 8 I get the following error: DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP DIGEST FINAL DIGEST FREE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST NEW DIGEST INIT DIGEST UPDATE DIGEST DUP WARNING:esys:src/tss2-esys/api/Esys_ContextLoad.c:279:Esys_ContextLoad_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x00000902) DIGEST FREE DIGEST FREE DIGEST FREE CMP DEBUG: disconnected from CMP server *CMP error: cannot duplicate context:2306 tpm:warn(2.0): out of memory for object contexts* CMP error: not able to copy ctx CMP error: internal error CMP error: error sending CMP error: shutdown while in init CMP error: transfer error:request sent: IR, expected response: IP RSA FREE RAND FREE RAND FREE RAND FREE PROVIDER TEARDOWN I've tried tpm2_flushcontext -t. I recompiled tpm2-openssl with the following option and that appears to have worked around the issue: --disable-op-digest Is this what "?provider=tpm2,tpm2.digest!=yes" should effectively do? -- Chris Newman https://mode51.software @mode51software mode51 Software Ltd is registered in England and Wales Company Number 13007792 Registered Office 3 Orchard Way, CB24 1AG, UK GPG Encryption key