It's the day we talk about how to customize your signature for notorious secure boot using open source software completely no painless. It's also 100% confirmed by OpenSSL, the software we could trust ain't like those hijacked by specified OS vendor.
Great, shall we begin?
----------------------------------------------------------------------------------------------------------------
(1) Download and Install OpenSSL wherever you like.
(2) Crate your own Certificate Authority on your console:
(a) Set Directory of openssl.cfg (openssl.cnf),
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
set OPENSSL_CONF=C:\
copy openssl.cnf openssl.cfg
(b) Generate 2048 RSA Private Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl genrsa -out mephisto_cert\ca_privkey.key 2048
(c) Generate Public PK Key by Private PK Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl rsa -in mephisto_cert\ca_privkey.key -pubout > mephisto_cert\ca_public.key
(d) Generate the self-signed digital certification of CA --> ca.crt
openssl req -new -x509 -days 8000 -key mephisto_cert\ca_privkey.key -out mephisto_cert\ca.crt -sha256 -config ..\conf\openssl.cnf
(3) Generate KEK by Private Key of PK
(a) Build directory storing KEK CSR, CRT, Private Key.
md mephisto_svn_server_cert
(b) Generate Private Key + Public Key for KEK
openssl genrsa -out mephisto_svn_server_cert\svn_server_privkey.key 2048
openssl rsa -in mephisto_svn_server_cert\svn_server_privkey.key -pubout > mephisto_svn_server_cert\svn_server_public.key
(c) Produce CSR application document for PK
openssl req -new -out mephisto_svn_server_cert\svn_server.csr -key mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf
(d) Build directory for CA(KEK)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (KEK) for PK
openssl ca -in mephisto_svn_server_cert\svn_server.csr -out mephisto_svn_server_cert\svn_server.crt -cert mephisto_cert\ca.crt -keyfile mephisto_cert\ca_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
(4) Generate db by Private Key of KEK
(a) Build directory storing db CSR, CRT, Private Key
md mephisto_db_cert
(b) Generate Private Key + Public Key of db
openssl genrsa -out mephisto_db_server_cert\db_privkey.key 2048
openssl rsa -in mephisto_db_cert\db_privkey.key -pubout > mephisto_db_cert\db_public.key
(c) Produce CSR application document for KEK
openssl req -new -out mephisto_db_cert\db.csr -key mephisto_db_cert\db_privkey.key -config ..\conf\openssl.cnf
(d) Build directory storing CA(db)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (db) for KEK
openssl ca -in mephisto_db_cert\db.csr -out mephisto_db_cert\db.crt -cert mephisto_svn_server_cert\svn_server.crt -keyfile mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
----------------------------------------------------------------------------------------------------------------
There you go, totally original material shared by myself to help anyone would like to escape the control from OS vendor. If anyone's interested, some of you might find my signature (Mephisto.Lai@X.com) embedded in your official desktop or notebook products...
Anyway, leave me questions, suggestions or comments, thanks!
How to import key for secure flash and sign a bios?
ReplyDeleteC:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
ReplyDeleteC:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
can't under stand how to do them