Created
December 30, 2017 22:44
-
-
Save HermannBjorgvin/7590a2a78f51d83f344cfa4e2ede1ab4 to your computer and use it in GitHub Desktop.
mkkeys.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Copyright (c) 2015 by Roderick W. Smith | |
# Licensed under the terms of the GPL v3 | |
echo -n "Enter a Common Name to embed in the keys: " | |
read NAME | |
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \ | |
-out PK.crt -days 3650 -nodes -sha256 | |
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \ | |
-out KEK.crt -days 3650 -nodes -sha256 | |
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \ | |
-out DB.crt -days 3650 -nodes -sha256 | |
openssl x509 -in PK.crt -out PK.cer -outform DER | |
openssl x509 -in KEK.crt -out KEK.cer -outform DER | |
openssl x509 -in DB.crt -out DB.cer -outform DER | |
GUID=`python -c 'import uuid; print(str(uuid.uuid1()))'` | |
echo $GUID > myGUID.txt | |
cert-to-efi-sig-list -g $GUID PK.crt PK.esl | |
cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl | |
cert-to-efi-sig-list -g $GUID DB.crt DB.esl | |
rm -f noPK.esl | |
touch noPK.esl | |
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ | |
-k PK.key -c PK.crt PK PK.esl PK.auth | |
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ | |
-k PK.key -c PK.crt PK noPK.esl noPK.auth | |
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ | |
-k PK.key -c PK.crt KEK KEK.esl KEK.auth | |
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ | |
-k KEK.key -c KEK.crt db DB.esl DB.auth | |
chmod 0600 *.key | |
echo "" | |
echo "" | |
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB" | |
echo "flash drive or to your EFI System Partition (ESP)." | |
echo "For use with most UEFIs' built-in key managers, copy the *.cer files." | |
echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment