share/examples/uefisign/uefikeys

   1 #!/bin/sh
   2 #
   3 # See uefisign(8) manual page for usage instructions.
   4 #
   5 # $FreeBSD$
   6 #
   7
   8 die() {
   9         echo "$*" > /dev/stderr
  10         exit 1
  11 }
  12
  13 if [ $# -ne 1 ]; then
  14         echo "usage: $0 common-name"
  15         exit 1
  16 fi
  17
  18 certfile="${1}.pem"
  19 efifile="${1}.cer"
  20 keyfile="${1}.key"
  21 # XXX: Set this to ten years; we don't want system to suddenly stop booting
  22 #      due to certificate expiration.  Better way would be to use Authenticode
  23 #      Timestamp.  That said, the rumor is UEFI implementations ignore it anyway.
  24 days="3650"
  25 subj="/CN=${1}"
  26
  27 [ ! -e "${certfile}" ] || die "${certfile} already exists"
  28 [ ! -e "${efifile}" ] || die "${efifile} already exists"
  29 [ ! -e "${keyfile}" ] || die "${keyfile} already exists"
  30
  31 umask 077 || die "umask 077 failed"
  32
  33 openssl genrsa -out "${keyfile}" 2048 2> /dev/null || die "openssl genrsa failed"
  34 openssl req -new -x509 -sha256 -days "${days}" -subj "${subj}" -key "${keyfile}" -out "${certfile}" || die "openssl req failed"
  35 openssl x509 -inform PEM -outform DER -in "${certfile}" -out "${efifile}" || die "openssl x509 failed"
  36
  37 echo "certificate: ${certfile}; private key: ${keyfile}; certificate to enroll in UEFI: ${efifile}"