How to do it…
- Create a configuration file that OpenSSL can use to obtain default values when generating your certificates. You can create this file at any location, but it is useful to keep it with the rest of your OpenSSL configuration in /etc/ssl/x509.conf. The file should look similar to the following:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = extensions
[ req_distinguished_name ]
O = Module Signing Example
CN = Module Signing Example Key
emailAddress = [email protected]
[ extensions ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
extendedKeyUsage = codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
You should edit the O, CN, and emailAddress fields to be more appropriate. Note that in the extensions section of the configuration, the keyUsage field is set as digitalSignature. Additionally, the extendedKeyUsage option is set to codeSigning for compatibility with key verification tools.
2. Generate a new key pair using this configuration file:
[root@demo2 ~]# openssl req -x509 -new -nodes -utf8 -sha512 -days 3650 -batch -config /etc/ssl/x509.conf -outform DER -out /etc/ssl/certs/pubkey.der -keyout /etc/ssl/certs/priv.key
Generating a RSA private key
……..++++
…….++++
writing new private key to ‘/etc/ssl/certs/priv.key’
—-
[root@demo2 ~]#
This signing certificate is valid for 10 years (3,650 days). Ensure that the keys are adequately protected. This can be done by copying the keys off the server and storing them in a secure location. Placing the keys on a USB stick and putting that in a desk drawer is not a secure location. Use a locked location, such as a safe.
3. Export the certificate in PEM format:
[root@demo2 ~]# openssl x509 -inform DER -in /etc/ssl/certs/pubkey.der -out /etc/ssl/certs/pubkey.pem
[root@demo2 ~]#
Signing the module
The sign-file utility ensures that the module is signed correctly for the kernel. This utility is provided within the kernel source. The following instructions assume that you are signing a module for the currently running kernel. If you intend to sign a module for a different kernel, you must provide the path to the sign-file utility within the correct kernel version source. If you do not use the right utility, the signature type for your module may not align correctly with the expected signature type.
To sign the module, run the sign-file utility for your currently running kernel and provide it with the path to your private key and the public key that you created for the purpose of signing your modules (for this example, I’ve used a public module called hello):
[root@demo2 ~]# sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha512 /etc/ssl/certs/priv.key \
> /etc/ssl/certs/pubkey.der /lib/modules/$(uname -r)/extra/hello.ko
Note that the module should already be installed into /lib/modules/, and you need to provide the correct path to the module.