1CERT-TO-EFI-HASH-LIST(1) User Commands CERT-TO-EFI-HASH-LIST(1)
2
3
4
6 cert-to-efi-hash-list - tool for converting openssl certificates to EFI
7 signature hash revocation lists
8
10 cert-to-efi-hash-list [-g <guid>][-t <timestamp>][-s <hash>] <crt file>
11 <efi sig list file>
12
14 Take an input X509 certificate (in PEM format) and convert it to an EFI
15 signature hash list file containing only that single certificate
16
18 -g <guid>
19 Use <guid> as the owner of the signature. If this is not sup‐
20 plied, an all zero guid will be used
21
22 -s <hash>
23 Use SHA<hash> hash algorithm (256, 384, 512)
24
25 -t <timestamp>
26 Time of Revocation for hash signature
27
28 Set to 0 if not specified meaning revoke for all time.
29
31 Signature revocation hashes are only implemented in UEFI 2.4 and up
32
34 To take a standard X509 certificate in PEM format and produce an output
35 EFI signature list file, simply do
36
37 cert-to-efi-hash-list PK.crt PK.esl
38
39 Note that the format of EFI signature list files is such that they can
40 simply be concatenated to produce a file with multiple signatures:
41
42 cat PK1.esl PK2.esl > PK.esl
43
44 If your platform has a setup mode key manipulation ability, the keys
45 will often only be displayed by GUID, so using the -g option to give
46 your keys recognisable GUIDs will be useful if you plan to manage lots
47 of keys.
48
50 sign-efi-sig-list(1) for details on how to create an authenticated up‐
51 date to EFI secure variables when the EFI system is in user mode.
52
53
54
55cert-to-efi-hash-list 1.9.2 December 2022 CERT-TO-EFI-HASH-LIST(1)