Using OpenSSL for certificate creation¶
This document specifies the following:
- Create a certificate with RSASSA PKCS v1.5 scheme using OpenSSL
- Create a certificate with RSASSA PSS scheme using OpenSSL
Note
The commands would be helpful for creating firmware/boardconfig/debug-unlock certificates.
This document does not specify the following:
- The X509 template to be used for certificate creation; the template depends on the application - firmware/board-config/debug-unlock.
- The operations needed before or after the creation of the certificate. See Signing binaries for Secure Boot on HS Devices.
Create a certificate with RSASSA PKCS v1.5 scheme using OpenSSL¶
openssl req -new -x509 -key [keypath] -nodes -outform DER -out [cert] -config [x509_config] -sha512
- [keypath]: path to rsa private key
- [cert]: path to the output certificate binary
- [x509Config]: path to the file containing x509 template
Create a certificate with RSASSA PSS scheme using OpenSSL¶
openssl req -new -x509 -key [keypath] -nodes -outform DER -out [cert] -config [x509_config] -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:64
- [keypath]: path to rsa private key
- [cert]: path to the output certificate binary
- [x509Config]: path to the file containing x509 template
Note
- Recommended OpenSSL version: OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
- If signing with RSASSA-PKCS v1.5 scheme, use a PKCS#1 RSA key.
- If signing with RSASSA-PSS scheme, use a PKCS#8 RSA key that was generated for RSASSA-PSS signing scheme.
