2.2.3.1 Adding Keys for Secure Boot Using mokutil

On bare metal database servers and KVM hosts, you can add new keys for use with Secure Boot using the Machine Owner Keys (MOK) utility (mokutil).

You must run the mokutil command as the root user.

You can run mokutil --help to view additional details about the mokutil command.

  1. Create a DER-formatted X509 certificate file for the key you want to add.

    For example, you could use the following command sequence to create a new key and the associated certificate.

    # openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > my_private_key.pem
# openssl req -x509 -key my_private_key.pem -subj /CN=client.example.com > my_certificate.pem
# openssl x509 -in my_certificate.pem -inform PEM -out my_certificate.der -outform DER
  2. Check to see if the key is already active.
    # mokutil --test-key my_certificate.der
  3. If the key is not currently active, then import the key certificate.
    # mokutil --import my_certificate.der

    When prompted, specify a MOK management password. Ensure that you remember the password becuase it is required to complete MOK enrollment after you reboot the system.

    Note:

    • If required, you can use the mokutil command to import multiple certificates at once using the same password by providing a list of DER-formatted X509 certificate files. For example: 

      # mokutil --import my_certificate.der my_certificate2.der my_certificate3.der

      If you import multiple certificates, the keys are later identified in the MOK management interfaces as Key 0, Key 1, Key 2, and so on.

    • If you discover any problem with the certificate(s) you imported, you can revoke the imported certificates at any time before the keys are enrolled in the UEFI Secure Boot key database by running:

      # mokutil --revoke-import
  4. Record details about the key and associated certificate for identification purposes in the following steps.

    Record the output from the following command:

    # mokutil --list-new
  5. Connect to the system console and reboot the system.

    On a physical server, you can view the system console by connecting to the Integrated Lights Out Manager (ILOM) subsystem and then running the following command from the ILOM prompt: 

    -> start -script /SP/console

    After connecting to the system console, you can reboot the system by logging in as the root user and running: 

    # shutdown -r now
  6. Observe the system console and press any key to perform MOK management when prompted.
  7. In the Perform MOK management screen, select the Enroll MOK menu option.
  8. Select the View key 0 menu option and verify that the key details match the new key that you want to enroll.

    If you imported multiple keys, verify all of the key details using View key 1, View key 2, and so on.

  9. Enroll the new key(s).
    1. Return to the Enroll MOK screen.
    2. Select the Continue option.
    3. Select Yes in the Enroll the key(s)? dialog.
    4. When prompted, supply the MOK management password you specified earlier when importing the key certificate(s).

    The key(s) are now enrolled in the UEFI Secure Boot key database.

  10. In the Perform MOK management screen, select the Reboot menu option.
  11. After the system reboots, confirm that the new key is enrolled by examining the output from the following command:
    # mokutil --list-enrolled

Parent topic: Managing Keys and Certificates Used with Secure Boot