- You need to generate a certificate. To achieve this, you need to install latest Windows Kit. Under it's install directory find an executable file named "makecert.exe" depend on your working computer's X86 or X64. execute following command.
makecert -n "CN=PkRoot" -r -sv PkRoot.pvk PkRoot.cer
You can replace "PkRoot" whatever name you like. This will generate a private key and a certificate. Remember the password you type.
- Then proceed to generate Kek key and certificate using the platform key you just generated.
Also memorize Kek key password. It will be used to sign efi applications.
- Transform kek private key to pfx format (PKCS#12)
xxx is the password for kek private key.
- Now you can use KekRoot.cer and KekRoot.pfx to sign whatever efi application or driver you want to execute on your platform. Command as below.
xxx still be password of Kekroot.pvk
But there's one VERY critical step left.
- You need to include the KekRoot.cer to your BIOS image and put it in ALLOW certificate. Different IBV should probably have different ways to include ALLOW certificate. You should check with your IBV for detail.
