1CERT-TO-EFI-HASH-LIST(1)         User Commands        CERT-TO-EFI-HASH-LIST(1)
2
3
4

NAME

6       cert-to-efi-hash-list - tool for converting openssl certificates to EFI
7       signature hash revocation lists
8

SYNOPSIS

10       cert-to-efi-hash-list [-g <guid>][-t <timestamp>][-s <hash>] <crt file>
11       <efi sig list file>
12

DESCRIPTION

14       Take an input X509 certificate (in PEM format) and convert it to an EFI
15       signature hash list file containing only that single certificate
16

OPTIONS

18       -g <guid>
19              Use <guid> as the owner of the signature. If this  is  not  sup‐
20              plied, an all zero guid will be used
21
22       -s <hash>
23              Use SHA<hash> hash algorithm (256, 384, 512)
24
25       -t <timestamp>
26              Time of Revocation for hash signature
27
28              Set to 0 if not specified meaning revoke for all time.
29

NOTE

31       Signature revocation hashes are only implemented in UEFI 2.4 and up
32

EXAMPLES

34       To take a standard X509 certificate in PEM format and produce an output
35       EFI signature list file, simply do
36
37       cert-to-efi-hash-list PK.crt PK.esl
38
39       Note that the format of EFI signature list files is such that they  can
40       simply be concatenated to produce a file with multiple signatures:
41
42       cat PK1.esl PK2.esl > PK.esl
43
44       If  your  platform  has a setup mode key manipulation ability, the keys
45       will often only be displayed by GUID, so using the -g  option  to  give
46       your  keys recognisable GUIDs will be useful if you plan to manage lots
47       of keys.
48

SEE ALSO

50       sign-efi-sig-list(1) for details on how to create an authenticated  up‐
51       date to EFI secure variables when the EFI system is in user mode.
52
53
54
55cert-to-efi-hash-list 1.9.2        July 2022          CERT-TO-EFI-HASH-LIST(1)
Impressum