On Sun, 25 Oct 2020 06:20:16 -0500 Richard Shaw <hobbes1069@xxxxxxxxx> wrote: > I'm following the directions here[1] on building a custom kernel to > test some patches[2] related to suspend[3] on my new HP ENVY X360 AMD > laptop without S3 support. > > The directions could be updated to include which commands need to be > run as root, however, my problem is at this step: > > """ > Create a PKCS #12 key file: > > openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der > """ > > # openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der > unable to load certificates > > Both files are in the current directory... > > Thanks, > Richard > > [1] > https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/#_secure_boot > [2] https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_671110 > [3] https://gitlab.freedesktop.org/drm/amd/-/issues/1230 It's been a while since I did this, so it might have changed, but these are the steps I went through to create the signing keys. It should at least give you some hints, if nothing else. A lot of work. The configuration file needed for openssl to create the keys. cat configuration_file.config """ [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = Organization CN = Organization signing key emailAddress = E-mail address [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid """ Creating the public and private key. openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config ./configuration_file.config -outform DER -out public_key.der -keyout private_key.priv alternate form, haven't tried yet openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.pem -nodes -days 666 -subj "/CN=$USER/" Telling mok that on next boot, use root password to import key into its database. mokutil -P --import public_key.der Converting der to pem using openssl. openssl x509 -inform DER -in public_key.der -outform PEM -out public_key.pem Convert the private key and pem certificate to a pk12 structure. openssl pkcs12 -export -out kernel_key.p12 -inkey public_key.pem -in xyz_cert.x509.pem # openssl pkcs12 -export -inkey private_key.priv -in public_key.pem -name kernel_cert -out kernel_cert.p12 Enter Export Password: Verifying - Enter Export Password: # Import pkcs12 file into pesign db # pk12util -i kernel_cert.p12 -d /etc/pki/pesign Enter password for PKCS12 file: pk12util: no nickname for cert in PKCS12 file. pk12util: using nickname: Organization signing key - Organization pk12util: PKCS12 IMPORT SUCCESSFUL _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
