|
Server : Apache/2.4.62 System : FreeBSD fbsdweb2.web.rcn.net 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64 User : www ( 80) PHP Version : 8.3.8 Disable Function : NONE Directory : /domains/highlandlabs/cqi-bin/ALFA_DATA/alfasymlink/root/usr/share/examples/uefisign/ |
Upload File : |
#!/bin/sh
#
# See uefisign(8) manual page for usage instructions.
#
#
die() {
echo "$*" > /dev/stderr
exit 1
}
if [ $# -ne 1 ]; then
echo "usage: $0 common-name"
exit 1
fi
certfile="${1}.pem"
efifile="${1}.cer"
keyfile="${1}.key"
# XXX: Set this to ten years; we don't want system to suddenly stop booting
# due to certificate expiration. Better way would be to use Authenticode
# Timestamp. That said, the rumor is UEFI implementations ignore it anyway.
days="3650"
subj="/CN=${1}"
[ ! -e "${certfile}" ] || die "${certfile} already exists"
[ ! -e "${efifile}" ] || die "${efifile} already exists"
[ ! -e "${keyfile}" ] || die "${keyfile} already exists"
umask 077 || die "umask 077 failed"
openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
echo "certificate: ${certfile}; private key: ${keyfile}; certificate to enroll in UEFI: ${efifile}"