Cribbed mostly from this article which didn't work for me initially.
sudo emerge mokutil pesign keyutils
sudo mkdir -p /etc/pki/pegsign
sudo certutil -N -d /etc/pki/pesign
# ( enter a blank password )
sudo efikeygen -d '/etc/pki/pesign' -S -k -c 'CN=Gentoo Key' -n 'Custom Secureboot'
mkdir -p ~/efi/certs
sudo certutil -d /etc/pki/pesign -n 'Custom Secureboot' -Lr > ~/efi/certs/sb_cert.cer
sudo mokutil --import efi/certs/sb_cert.cer
# ( enter a real password )
sudo reboot ; exit
# ( MOK shim utility will boot. press a key before 10 seconds. )
# select Enroll MOK, then View Key (probably "view key 0"), verify this looks correct.
# press any key to continue, then select "Continue".
# select "Reboot".
# boot back into Gentoo