- manifest-ca: contains the private key and self-signed certificate for the rootCA
  that is used to sign product manifest certificates. A product manifest keypair and
  certificate are used to sign and verify the manifest yaml file for a product.

- manifest: contains a sample private key and signed certificate for a product's
  manifest. The certificate is signed by the manifestCA, establishing a chain of
  trust. The product's uuid is included into the CN of the certificate. The
  private key is used to sign the product's manifest and the certificate is
  used to verify it.

- tpmpol-admin: contains keypair and certificate used to sign and verify
  TPM EA Policy. This particular policy is used for access to the TPM Password
  stored in a TPM nvindex.

- tpmpol-luks: contains the keypair and certificate used to sign and verify
  TPM EA Policy. This particular policy is used for access to the LUKS
  secret stored in a TPM nvindex.

- uefi-db: contains the keypair, guid, and certificate to sign and verify
  UEFI applications. The certificate is stored in the UEFI DB.

- uefi-pk: contains keypair, guid and cert for UEFI platform key.

- uefi-kek: contains keypair, guid, and cert for UEFI Key Exchange Key.

- uki-limited: contains the keypair, guid, and certificate to sign and verify
  UKIs signed with the "limited" key. This key signs and verifies special
  purpose UKIs and UEFI binaries. It does not grant privileged access to the
  TPm secret nor the LUKS secret.

- uki-production: contains the keypair, guid, and certificate to sign and
  verify UKIs signed with the "production" key. This is the standard kernel signing
  key which protects the LUKS secret.

- uki-tpm: contains the keypair, guid, and certificate to sign and verify UKIs
  signed with the "tpm" key. A UKI signed with the "tpm" key permit access to
  the TPM password for administration.