.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.48.1.
.TH CERT-TO-EFI-HASH-LIST "1" "December 2022" "cert-to-efi-hash-list 1.9.2" "User Commands"
.SH NAME
cert-to-efi-hash-list - tool for converting openssl certificates to EFI signature hash revocation lists
.SH SYNOPSIS
.B cert-to-efi-hash-list
[\fI\,-g <guid>\/\fR][\fI\,-t <timestamp>\/\fR][\fI\,-s <hash>\/\fR] \fI\,<crt file> <efi sig list file>\/\fR
.SH DESCRIPTION
Take an input X509 certificate (in PEM format) and convert it to an EFI
signature hash list file containing only that single certificate
.SH OPTIONS
.TP
\fB\-g\fR <guid>
Use <guid> as the owner of the signature. If this is not
supplied, an all zero guid will be used
.TP
\fB\-s\fR <hash>
Use SHA<hash> hash algorithm (256, 384, 512)
.TP
\fB\-t\fR <timestamp>
Time of Revocation for hash signature
.IP
Set to 0 if not specified meaning revoke
for all time.
.SH NOTE

Signature revocation hashes are only implemented in UEFI 2.4 and up
.SH EXAMPLES

To take a standard X509 certificate in PEM format and
produce an output EFI signature list file, simply do

cert-to-efi-hash-list PK.crt PK.esl

Note that the format of EFI signature list files is such
that they can simply be concatenated to produce a file with
multiple signatures:

cat PK1.esl PK2.esl > PK.esl

If your platform has a setup mode key manipulation ability,
the keys will often only be displayed by GUID, so using the
-g option to give your keys recognisable GUIDs will be
useful if you plan to manage lots of keys.
.SH "SEE ALSO"

sign-efi-sig-list(1) for details on how to create an
authenticated update to EFI secure variables when the EFI
system is in user mode.