HP EliteBook 745 Sure Recover User Guide - Page 21

openssl pkcs12 -inkey kek.key -in kek.crt -export -out kek.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout pass: # Create a command signing key openssl req -sha256 -nodes -newkey rsa:2048 -keyout sk.key -out sk.csr subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=www.example.com" openssl x509 -req -sha256 -in sk.csr -CA ca.crt -CAkey ca.key CAcreateserial -out sk.crt openssl pkcs12 -inkey sk.key -in sk.crt -export -out sk.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout pass: openssl pkcs12 -in sk.pfx -clcerts -nokeys -out sk_public.pem -passin pass: # Create an image signing key openssl req -sha256 -nodes -newkey rsa:2048 -keyout os.key -out os.csr subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=www.example.com" openssl x509 -req -sha256 -in os.csr -CA ca.crt -CAkey ca.key CAcreateserial -out os.crt openssl pkcs12 -inkey os.key -in os.crt -export -out os.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout pass: You can sign the image manifest with this command: openssl dgst -sha256 -sign os.key -out image.sig image.mft # Create an agent signing key openssl req -sha256 -nodes -newkey rsa:2048 -keyout re.key -out re.csr subj "/C=US/ST=State/L=City/O=Company/OU=Org/CN=www.example.com" openssl x509 -req -sha256 -in re.csr -CA ca.crt -CAkey ca.key CAcreateserial -out re.crt openssl pkcs12 -inkey re.key -in re.crt -export -out re.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout pass: You can sign the agent manifest with this command: openssl dgst -sha256 -sign re.key -out agent.sig agent.mft OpenSSL generates signature files in big-endian format, which is incompatible with some BIOS versions, so the agent signature file byte order may need to be reversed before being deployed. BIOS versions that support big-endian byte ordering also support little-endian byte ordering. Sample key generation using OpenSSL 15