On Sun, 25 Oct 2020 06:20:16 -0500
Richard Shaw <hobbes1069(a)gmail.com> wrote:
I'm following the directions here[1] on building a custom kernel
to
test some patches[2] related to suspend[3] on my new HP ENVY X360 AMD
laptop without S3 support.
The directions could be updated to include which commands need to be
run as root, however, my problem is at this step:
"""
Create a PKCS #12 key file:
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
"""
# openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
unable to load certificates
Both files are in the current directory...
Thanks,
Richard
[1]
https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kerne...
[2]
https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_671110
[3]
https://gitlab.freedesktop.org/drm/amd/-/issues/1230
It's been a while since I did this, so it might have changed, but these
are the steps I went through to create the signing keys. It should at
least give you some hints, if nothing else.
A lot of work.
The configuration file needed for openssl to create the keys.
cat configuration_file.config
"""
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Organization
CN = Organization signing key
emailAddress = E-mail address
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
"""
Creating the public and private key.
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config
./configuration_file.config -outform DER -out public_key.der -keyout private_key.priv
alternate form, haven't tried yet
openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.pem -nodes -days
666 -subj "/CN=$USER/"
Telling mok that on next boot, use root password to import key into its
database.
mokutil -P --import public_key.der
Converting der to pem using openssl.
openssl x509 -inform DER -in public_key.der -outform PEM -out public_key.pem
Convert the private key and pem certificate to a pk12 structure.
openssl pkcs12 -export -out kernel_key.p12 -inkey public_key.pem -in xyz_cert.x509.pem
# openssl pkcs12 -export -inkey private_key.priv -in public_key.pem -name kernel_cert -out
kernel_cert.p12
Enter Export Password:
Verifying - Enter Export Password:
# Import pkcs12 file into pesign db
# pk12util -i kernel_cert.p12 -d /etc/pki/pesign
Enter password for PKCS12 file:
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: Organization signing key - Organization
pk12util: PKCS12 IMPORT SUCCESSFUL