Certificates can be either self-signed, or signed by a certificate authority
(CA).
About this task
A public-key certificate contains the public key that is required to validate signatures as well
as information that identifies the subject that owns the private key. For the purposes of Linux®
secure boot and module signing, a self-signed certificate is
sufficient and is used in the examples that are shown here.
Procedure
-
Create a text file named cert-params.conf with the following content:
[req]
distinguished_name = subject
x509_extensions = x509_ext
prompt = no
[subject]
commonName = "<name>"
emailAddress = "<e-mail>"
[x509_ext]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = critical, CA:false
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
This file defines certificate parameters and identity information for the new
certificate.
- Replace the <name> and <e-mail> placeholders
with actual identity information of the individual or organization that owns the private
key.
- Create the certificate.
You need the identity information that is specified in
the configuration file
cert-params.conf and the private key
private-key.pem.
A public key is derived from the private key
and written to cert.pem. Issue a command like the following
example:
$ openssl req -new -x509 -sha256 -days 365 \
-config cert-params.conf \
-key private-key.pem \
-out cert.pem
For security reasons, each certificate is assigned an expiration date after which it is no
longer considered valid. The certificate that is created in this example is set to expire in one
year (365 days) from the date of creation.
Results
You can display the contents of the resulting certificate in a textual format by using the
following command:
$ openssl x509 -in cert.pem -text -noout
What to do next
To activate this certificate for use with Linux
secure boot and kernel-module verification, upload it to the
HMC Secure Boot certificate store as outlined in Managing a secure boot certificate for an LPAR.