On Thu, 29 Oct 2020 12:13:03 -0500 Richard Shaw <hobbes1069@xxxxxxxxx> wrote: > On Sun, Oct 25, 2020 at 3:50 PM stan via devel < > devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Convert the private key and pem certificate to a pk12 structure. > > openssl pkcs12 -export -out kernel_key.p12 -inkey public_key.pem -in > > xyz_cert.x509.pem > > > > Ok, you lost me right here. There is no file xyz_cert.x509.pem file > to be used with "-in"... >From my history, it appears that the actual command I used was this: openssl pkcs12 -export -inkey private_key2.priv -in public_key2.pem -name kernel_cert -out kernel_cert2.p12 So, I actually replaced the xyz_cert.x509.pem with public_key2.pem It was probably my second try, thus the 2, as it took me some trial and error to work this out. Thus, you should use the version of keys from your first two commands. While I'm typing, these are the commands I actually use to sign a kernel. You'll need them once the keys are all distributed properly. Depending on how you build the kernel, the redhat-testing-key might already have signed it, and if you don't have that installed, the kernel won't boot. I have to remove it. Actually, the kernels have been signed twice lately with that test key, so I have to remove both of them. pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64 pesign -r -u 0 -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64 -o /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned pesign -r -u 0 -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned -o /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2 pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2 pesign --certdir /etc/pki/pesign --certificate kernel_cert --in /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2 --out /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed --sign pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed ls -nZ cp vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed vmlinuz-5.9.1-300.20201025.fc31.x86_64 ls -nZ rm vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2 _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
