RidgeRun Platform Security Manual/Getting Started/Secure Boot: Difference between revisions

RidgeRun Platform Security Manual/Getting Started/Secure Boot (view source)

Revision as of 14:50, 6 March 2025

3,607 bytes added , 6 March

→‎Generate RSA key pairs, certificates and EFI signature list File

Chidalgo

130

edits

❯

@@ Line 131: / Line 131: @@
 openssl req -newkey rsa:2048 -nodes -keyout KEK.key  -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
 </syntaxhighlight>
+* -newkey rsa:2048: new RSA private key with a key length of 2048 bits.
+* -nodes: Tells openssl not to encrypt the private key.
+* -keyout KEK.key: This specifies the output file for the private key, named KEK.key.
+* -new: Creates a new certificate signing request (in this case, used to create a self signed certificate).
+* -x509: tells openssl to generate a self-signed X.509 certificate instead of a CSR (Certificate Signing Request).
+* -sha256: This specifies the SHA-256 hash algorithm for the certificate's signature.
+* -days 3650: Sets the validity period of the certificate to 3650 days (10 years).
+* -subj "/CN= Key Exchange Key/": Sets the subject of the certificate, which contains information about the certificate's owner.
+* -out KEK.crt: This specifies the output file for the certificate, named KEK.crt
 <syntaxhighlight lang="bash">
 cert-to-efi-sig-list -g "${GUID}" KEK.crt KEK.esl
 </syntaxhighlight>
+* -g "${GUID}": Specifies the GUID (Globally Unique Identifier) that will be associated with the signature list. GUIDs are used to identify different types of signatures and policies in UEFI Secure Boot.
+* KEK.crt: This is the input file, which is the X.509 certificate that you want to convert.
+* KEK.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
 Generate the db_1 and db_2 RSA Key Pair, Certificate, and EFI Signature List File
 * db_1:
-{{review|Same here. Please, collapse the commands in a single block. Additionally, Can you detail every option? There are some that seem customisable, like days, subj|lleon}}
 <syntaxhighlight lang="bash">
 openssl req -newkey rsa:2048 -nodes -keyout db_1.key  -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db_1.crt
 </syntaxhighlight>
+* -newkey rsa:2048: new RSA private key with a key length of 2048 bits.
+* -nodes: Tells openssl not to encrypt the private key.
+* -keyout db_1.key: This specifies the output file for the private key, named db_1.key.
+* -new: Creates a new certificate signing request (in this case, used to create a self signed certificate).
+* -x509: tells openssl to generate a self-signed X.509 certificate instead of a CSR (Certificate Signing Request).
+* -sha256: This specifies the SHA-256 hash algorithm for the certificate's signature.
+* -days 3650: Sets the validity period of the certificate to 3650 days (10 years).
+* -subj "/CN= My Signature Database/": Sets the subject of the certificate, which contains information about the certificate's owner.
+* -out db_1.crt: This specifies the output file for the certificate, named db_1.crt
 <syntaxhighlight lang="bash>
 cert-to-efi-sig-list -g "${GUID}" db_1.crt db_1.esl
 </syntaxhighlight>
+* -g "${GUID}": Specifies the GUID (Globally Unique Identifier) that will be associated with the signature list. GUIDs are used to identify different types of signatures and policies in UEFI Secure Boot.
+* db_1.crt: This is the input file, which is the X.509 certificate that you want to convert.
+* db_1.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
 * db_2
@@ Line 155: / Line 181: @@
 openssl req -newkey rsa:2048 -nodes -keyout db_2.key  -new -x509 -sha256 -days 3650 -subj "/CN=my another Signature Database key/" -out db_2.crt
 </syntaxhighlight>
+* -newkey rsa:2048: new RSA private key with a key length of 2048 bits.
+* -nodes: Tells openssl not to encrypt the private key.
+* -keyout db_2.key: This specifies the output file for the private key, named db_2.key.
+* -new: Creates a new certificate signing request (in this case, used to create a self signed certificate).
+* -x509: tells openssl to generate a self-signed X.509 certificate instead of a CSR (Certificate Signing Request).
+* -sha256: This specifies the SHA-256 hash algorithm for the certificate's signature.
+* -days 3650: Sets the validity period of the certificate to 3650 days (10 years).
+* -subj "/CN= My another Signature Database/": Sets the subject of the certificate, which contains information about the certificate's owner.
+* -out db_2.crt: This specifies the output file for the certificate, named db_2.crt
 <syntaxhighlight lang="bash>
 cert-to-efi-sig-list -g "${GUID}" db_2.crt db_2.esl
 </syntaxhighlight>
+* -g "${GUID}": Specifies the GUID (Globally Unique Identifier) that will be associated with the signature list. GUIDs are used to identify different types of signatures and policies in UEFI Secure Boot.
+* db_2.crt: This is the input file, which is the X.509 certificate that you want to convert.
+* db_2.esl: This is the output file, which will be the EFI signature list. The .esl extension is commonly used for EFI signature lists.
 Output should look like the following: