Merge pull request #1609 from vyos/t861-secure-boot-ca

T861: update secure-boot certificate handline example

1 files changed, 13 insertions, 7 deletions

diff --git a/docs/installation/secure-boot.rst b/docs/installation/secure-boot.rst
index 817ca663..b6685039 100644
--- a/docs/installation/secure-boot.rst
+++ b/docs/installation/secure-boot.rst
@@ -18,13 +18,19 @@ commands prior to your ISO image build:
 .. code-block:: bash
 
   cd vyos-build
-  openssl req -new -x509 -newkey rsa:4096 \
-    -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \
-    -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \
-    -outform DER -days 36500 -subj "/CN=MyMOK/" -nodes
-  openssl x509 -inform der \
-    -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \
-    -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.pem
+  CA_DIR="data/certificates"
+  SHIM_CERT_NAME="vyos-dev-2025-shim"
+  VYOS_KERNEL_CERT_NAME="vyos-dev-2025-linux"
+
+  openssl req -new -x509 -newkey rsa:4096 -keyout ${CA_DIR}/${SHIM_CERT_NAME}.key -out ${CA_DIR}/${SHIM_CERT_NAME}.der \
+    -outform DER -days 36500 -subj "/CN=VyOS Networks Secure Boot CA/" -nodes
+  openssl x509 -inform der -in ${CA_DIR}/${SHIM_CERT_NAME}.der -out ${CA_DIR}/${SHIM_CERT_NAME}.pem
+
+  openssl req -newkey rsa:4096 -sha256 -nodes -keyout ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.key \
+    -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -outform PEM -days 3650 \
+    -subj "/CN=VyOS Networks Secure Boot Signer 2025 - linux/"
+  openssl x509 -req -in ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -CA ${CA_DIR}/${SHIM_CERT_NAME}.pem \
+    -CAkey ${CA_DIR}/${SHIM_CERT_NAME}.key -CAcreateserial -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.pem -days 3650 -sha256
 
 ************
 Installation