# Generate key and certificate Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html) To enable UEFI secure boot, generate a pair of keys and certificates for signing and authentication. The key generation supports the following algorithms: - RSA 2048/4096 with SHA-256/SHA384 hash algorithm - ECDSA secp256r1/secp384r1 The following procedures provide instructions to generate keys and certificates with RSA 2048 and SHA-256 as an example. Note: - Create a directory and execute the commands in the same location to perform these steps on a Linux machine. - For ECC, replace `rsa:2048` with `ec:secp384r1` or `ec:secp256r1`. For SHA384, replace `-sha256` with `-sha384` in the following commands. **Parent Topic:** [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-uefi-secure-boot.html) ## Generate UID Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html) You can generate a GUID and create three new keys with self-signed certificates in CRT/PEM format and keys in `.key` format: GUID uses `uuidgen` to generate the signature owner GUID: uuidgen --random > GUID.txtCopy to clipboard ## Create PK key Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html) 1. Create a PK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in PK.crt -out PK.cerCopy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.eslCopy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.authCopy to clipboard ## Create KEK key Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html) 1. Create a KEK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in KEK.crt -out KEK.cerCopy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.eslCopy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.authCopy to clipboard ## Create DB key Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-key-and-certificate.html) 1. Create a DB key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom DB Signing Key 1/" -keyout db.key -out db.crt -days 3650 -nodes -sha256Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in db.crt -out db.cerCopy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.eslCopy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.authCopy to clipboard Last Published: Oct 14, 2024 [Previous Topic Enable UEFI secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/enable-uefi-secure-boot.md) [Next Topic Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/sign-images-and-copy-auth-key-signed-files-to-efi-partition.md)