4 files changed, 6 insertions, 12 deletions

diff --git a/.gitignore b/.gitignore
index 252b5d82..6de027c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@ packer_cache/*
 key/*
 packages/*
 !packages/*/
-data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
 /testinstall*.img
 /testinstall*.efivars
 /*.qcow2
diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore
new file mode 100644
index 00000000..c996e507
--- /dev/null
+++ b/data/certificates/.gitignore
@@ -0,0 +1 @@
+*.key
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
deleted file mode 100644
index abaaa97a..00000000
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Secure Boot
-
-## CA
-
-Create Certificate Authority used for Kernel signing. CA is loaded into the
-Machine Owner Key store on the target system.
-
-```bash
-openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
-openssl x509 -inform der -in MOK.der -out MOK.pem
-```
diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index 94e326d4..aab5ed13 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -367,6 +367,11 @@ if __name__ == "__main__":
     shutil.copytree("data/live-build-config/", lb_config_dir)
     os.makedirs(lb_config_dir, exist_ok=True)
 
+    ## Secure Boot - Copy public Keys to image
+    sb_certs = 'data/certificates'
+    if os.path.isdir(sb_certs):
+        shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok')
+
     # Switch to the build directory, this is crucial for the live-build work
     # because the efective build config files etc. are there.
     #