1#!/bin/sh 2# 3# See uefisign(8) manual page for usage instructions. 4# 5# $FreeBSD: head/share/examples/uefisign/uefikeys 279321 2015-02-26 14:22:27Z trasz $ 6# 7 8die() { 9 echo "$*" > /dev/stderr 10 exit 1 11} 12 13if [ $# -ne 1 ]; then 14 echo "usage: $0 common-name" 15 exit 1 16fi 17 18certfile="${1}.pem" 19efifile="${1}.cer" 20keyfile="${1}.key" 21# XXX: Set this to ten years; we don't want system to suddenly stop booting 22# due to certificate expiration. Better way would be to use Authenticode 23# Timestamp. That said, the rumor is UEFI implementations ignore it anyway. 24days="3650" 25subj="/CN=${1}" 26 27[ ! -e "${certfile}" ] || die "${certfile} already exists" 28[ ! -e "${efifile}" ] || die "${efifile} already exists" 29[ ! -e "${keyfile}" ] || die "${keyfile} already exists" 30 31umask 077 || die "umask 077 failed" 32 33openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed" 34openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed" 35openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed" 36 37echo "certificate: ${certfile}; private key: ${keyfile}; certificate to enroll in UEFI: ${efifile}" 38