HP EliteBook 745 Sure Recover User Guide - Page 14

Generating manifest signature, Hosting the files, files

Get HP EliteBook 745 PDF manuals and user guides View all HP EliteBook 745 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

[System.IO.File]::WriteAllLines($pathToManifest + '\' + $mftFilename, $content, $encoding) 2. Save the script. 3. Execute the script. powershell .\generate-manifest.ps1 Generating manifest signature Sure Recover validates the agent and image using cryptographic signatures. The following examples use a private/public key pair in X.509 PEM format (.PEM extension). Adjust the commands as appropriate to use DER binary certificates (.CER or .CRT extension), BASE-64 encoded PEM certificates (.CER or .CRT extension), or PKCS1 PEM files (.PEM extension). The example also uses OpenSSL, which generates signatures in big-endian format. You can use any utility to sign manifests, but some BIOS versions only support signatures in littleendian format. 1. Generate a 2048-bit RSA private key using the following command. If you have a 2048-bit RSA private/ public key pair in pem format, copy them to C:\staging, and then skip to step 3. openssl genrsa -out my-recovery-private.pem 2048 2. Generate the public key from your private key (if you have a public key corresponding to your private key in PEM format, copy it to C:\staging), using the following command: openssl rsa -in my-recovery-private.pem -pubout -out my-recoverypublic.pem 3. Create a signature file (using sha256-based hash) based on your 2048-bit RSA private key from step 1, using the following command: openssl dgst -sha256 -sign my-recovery-private.pem -out custom.sig custom.mft 4. Verify the signature file, using your public key from the previous step, using the following command: openssl dgst -sha256 -verify my-recovery-public.pem -signature custom.sig custom.mft NOTE: ● If you need to create a signature file only, the required steps are 1 and 3. ● For HP Sure Recover, the minimum required steps are 1, 2, and 3. You need the public key from step 2 to provision your target system. ● Step 4 is optional but recommended so that your signature file and manifest file validate correctly. Hosting the files Host the following files on your server from the C:\staging folder: ● *.swm ● custom.mft (or the file name you chose for the manifest file) ● custom.sig (or the matching file name you chose for the signature file) 8 Chapter 2 Creating a corporate image

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
[System.IO.File]::WriteAllLines($pathToManifest + '\' + $mftFilename,
$content, $encoding)
2.
Save the script.
3.
Execute the script.
powershell .\generate-manifest.ps1
Generating manifest signature
Sure Recover validates the agent and image using cryptographic signatures. The following examples use a
private/public key pair in X.509 PEM format (.PEM extension). Adjust the commands as appropriate to use DER
binary
certificates
(.CER or .CRT extension), BASE-64 encoded PEM
certificates
(.CER or .CRT extension), or
PKCS1 PEM
files
(.PEM extension). The example also uses OpenSSL, which generates signatures in big-endian
format. You can use any utility to sign manifests, but some BIOS versions only support signatures in little-
endian format.
1.
Generate a 2048-bit RSA private key using the following command. If you have a 2048-bit RSA private/
public key pair in pem format, copy them to C:\staging, and then skip to step 3.
openssl genrsa -out my-recovery-private.pem 2048
2.
Generate the public key from your private key (if you have a public key corresponding to your private key
in PEM format, copy it to C:\staging), using the following command:
openssl rsa -in my-recovery-private.pem -pubout -out my-recovery-
public.pem
3.
Create a signature
file
(using sha256-based hash) based on your 2048-bit RSA private key from step 1,
using the following command:
openssl dgst -sha256 -sign my-recovery-private.pem -out custom.sig
custom.mft
4.
Verify the signature
file,
using your public key from the previous step, using the following command:
openssl dgst -sha256 -verify my-recovery-public.pem -signature
custom.sig custom.mft
NOTE:
If you need to create a signature
file
only, the required steps are 1 and 3.
For HP Sure Recover, the minimum required steps are 1, 2, and 3. You need the public key from step 2 to
provision your target system.
Step 4 is optional but recommended so that your signature
file
and manifest
file
validate correctly.
Hosting the
files
Host the following
files
on your server from the C:\staging folder:
*.swm
custom.mft (or the
file
name you chose for the manifest
file)
custom.sig (or the matching
file
name you chose for the signature
file)
8
Chapter 2
Creating a corporate image