xref: /freebsd/share/examples/uefisign/uefikeys (revision 63d1fd5970ec814904aa0f4580b10a0d302d08b2)
1#!/bin/sh
2#
3# See uefisign(8) manual page for usage instructions.
4#
5# $FreeBSD$
6#
7
8die() {
9	echo "$*" > /dev/stderr
10	exit 1
11}
12
13if [ $# -ne 1 ]; then
14	echo "usage: $0 common-name"
15	exit 1
16fi
17
18certfile="${1}.pem"
19efifile="${1}.cer"
20keyfile="${1}.key"
21# XXX: Set this to ten years; we don't want system to suddenly stop booting
22#      due to certificate expiration.  Better way would be to use Authenticode
23#      Timestamp.  That said, the rumor is UEFI implementations ignore it anyway.
24days="3650"
25subj="/CN=${1}"
26
27[ ! -e "${certfile}" ] || die "${certfile} already exists"
28[ ! -e "${efifile}" ] || die "${efifile} already exists"
29[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
30
31umask 077 || die "umask 077 failed"
32
33openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
34openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
35openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
36
37echo "certificate: ${certfile}; private key: ${keyfile}; certificate to enroll in UEFI: ${efifile}"
38