# Generate key and certificate To enable UEFI secure boot, generate a pair of keys and certificates for signing and authentication. The key generation supports the following algorithms: - RSA 2048/4096 with SHA-256/SHA384 hash algorithm - ECDSA secp256r1/secp384r1 The following procedures provide instructions to generate keys and certificates with RSA 2048 and SHA-256 as an example. Note - Create a directory and run the commands in the same location to perform these steps on a Linux machine. - For ECC, replace `rsa:2048` with `ec:secp384r1` or `ec:secp256r1`. For SHA384, replace `-sha256` with `-sha384` in the following commands. ## Generate UID You can generate a GUID and create three new keys with self-signed certificates in CRT/PEM format and keys in `.key` format: GUID uses `uuidgen` to generate the signature owner GUID: uuidgen --random > GUID.txt Copy to clipboard ## Create PK key 1. Create a PK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in PK.crt -out PK.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth Copy to clipboard ## Create KEK key 1. Create a KEK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in KEK.crt -out KEK.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth Copy to clipboard ## Create dB key 1. Create a dB key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom DB Signing Key 1/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in db.crt -out db.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth Copy to clipboard ## Next steps - For the system to verify and load only trusted software during startup, see [Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/doc/80-70018-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html#sign-images-and-copy-auth-key-signed-files-to-efi-partition). - To ensure that the secure boot settings are correctly applied and maintained through the systemd-boot menu, see [Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/doc/80-70018-11/topic/enable-uefi-secure-boot-from-systemd-boot-menu.html#enable-uefi-secure-boot-from-systemd-boot-menu). Last Published: Apr 10, 2025 [Previous Topic Enable UEFI secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/enable-uefi-secure-boot.md) [Next Topic Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/sign-images-and-copy-auth-key-signed-files-to-efi-partition.md)