2.2.3 Managing Keys and Certificates Used with Secure Boot

You can use the mokutil command to manage the keys and certificates used with Secure Boot.

The certificates are signed by DigiCert. By default, a certificate is valid for one year from the date of signing. Even though a certificate may expire, the validation is based on the date on which the grub and kernel were signed and if the certificate was valid at that time.

To renew the certificates, you update the kernel, grub, and ILOM on the secured servers with a new, signed version.

• To query the existing keys, use the command mokutil.

  [root@dbm0celadm03 ~]# mokutil --list-enrolled
  [key 1]
  SHA1 Fingerprint: 5f:f4:35:5a:49:ec:8d:f1:56:d1:ee:9b:ac:f6:19:54:08:77:d3:59
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              21:b3:c1:01:19:dc:af:44:43:15:8b:0f:33:6b:18:be
      Signature Algorithm: sha256WithRSAEncryption
          Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA - G2
          Validity
              Not Before: Jun 30 00:00:00 2020 GMT
              Not After : Jul  1 23:59:59 2021 GMT
          Subject: jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2101822, C=US/postalCode=94065, ST=California, L=Redwood City/street=500 Oracle Parkway, O=Oracle America Inc., OU=Winqual, CN=Oracle America Inc.
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (2048 bit)
                  Modulus:
                      00:8d:3e:e0:3b:35:99:fb:11:c0:2a:12:ac:07:40:
                      f7:90:d4:d3:62:5e:85:2d:ea:94:af:5f:26:33:98:
                      c8:03:33:0e:30:5e:4d:44:ca:fa:1a:3a:49:88:64:
                      89:16:5c:39:f3:35:86:ed:25:eb:0f:ca:fa:2c:3d:
                      d6:23:2a:b3:1e:62:fb:45:88:1a:05:be:95:d6:6a:
                      d9:c5:f2:81:7a:cc:63:71:3c:37:a0:23:1c:eb:20:
                      1a:3d:13:89:6a:9e:47:a0:eb:ca:64:21:3f:7a:f4:
                      e6:09:bf:47:63:c8:b3:6b:a5:c6:1b:de:f6:06:12:
                      56:eb:ab:24:00:01:c9:80:db:be:66:49:64:ac:c8:
                      ce:1e:da:7a:c1:42:21:85:f9:67:81:a4:f0:6d:14:
                      01:9b:45:1e:9f:08:e5:18:b7:c5:34:e5:55:e2:11:
                      dc:fe:0c:36:32:f4:bb:cb:34:00:37:b2:41:05:5f:
                      0a:69:68:55:cb:4e:ec:ca:cc:1b:67:dc:05:f1:98:
                      95:c4:14:35:41:01:fe:f5:bd:63:1a:8d:cc:8a:1f:
                      b6:87:ac:02:ea:e2:2e:29:d6:11:b9:bc:aa:d6:44:
                      3e:32:3c:a9:12:a4:aa:09:ec:6e:ba:99:08:58:36:
                      6b:ef:40:c5:3e:47:36:93:53:f1:c9:f2:79:f2:53:
                      c9:9b
                  Exponent: 65537 (0x10001)
          X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:FALSE
              X509v3 Key Usage: critical
                  Digital Signature
              X509v3 Extended Key Usage:
                  Code Signing
              X509v3 Certificate Policies:
                  Policy: 2.23.140.1.3
                    CPS: https://d.symcb.com/cps
                    User Notice:
                      Explicit Text: https://d.symcb.com/rpa
  
              X509v3 Subject Key Identifier:
                  BC:59:71:95:4C:74:9D:3D:30:98:52:EF:0F:3C:23:6F:A4:98:E8:F6
              X509v3 Authority Key Identifier:
                  keyid:16:66:DE:4A:34:E3:50:A7:11:86:03:B1:6C:A9:C6:AC:CD:59:6E:9B
  
              X509v3 CRL Distribution Points:
  
                  Full Name:
                    URI:http://sw.symcb.com/sw.crl
  
              Authority Information Access:
                  OCSP - URI:http://sw.symcd.com
                  CA Issuers - URI:http://sw.symcb.com/sw.crt
  
      Signature Algorithm: sha256WithRSAEncryption
           38:4d:10:69:07:db:7c:ce:18:2b:1e:c5:89:1c:71:a9:b0:07:
           19:43:2d:a0:88:c5:f5:bf:82:a9:4b:f9:45:fa:2c:7c:00:cb:
           be:24:b0:a8:98:7d:f5:a3:c4:42:52:f4:75:fd:22:c5:0c:2e:
           a2:13:7f:b9:24:79:04:d5:ea:0e:1a:e6:e8:4c:61:48:65:5b:
           c7:30:81:90:fd:17:d5:39:d4:70:00:00:b8:c5:80:03:da:88:
           e0:f1:39:aa:d9:1d:ef:2f:bf:c3:06:18:2a:1b:1f:ce:30:a2:
           bb:dd:d0:46:0e:d5:e1:22:0c:a0:cc:df:00:fe:0a:99:d5:cc:
           16:76:4b:ab:dc:bb:80:4b:0e:1b:f5:5e:04:22:3e:a9:d0:70:
           56:87:9b:c1:2f:95:cf:36:34:e7:c7:2e:0c:56:f3:24:fa:7d:
           f7:25:54:50:34:f6:e5:30:76:8b:fd:65:25:19:8a:54:f9:f1:
           93:24:ad:22:25:4a:e0:a2:63:b6:d7:d1:82:4e:5a:fc:34:52:
           b4:9e:7d:1a:e2:b7:a1:92:13:0f:9d:7b:ae:42:6f:64:a2:02:
           47:c7:f9:11:12:e4:82:b9:f7:ed:ce:14:ac:c2:b4:e3:cc:c4:
           ef:f8:9f:78:23:91:89:b0:37:24:f1:c6:61:0c:2e:cf:af:29:
           e5:68:70:4d

• Adding Keys for Secure Boot Using mokutil
  You can import or add new keys for use with Secure Boot.
• Removing Keys for Secure Boot Using mokutil
  You can delete or remove keys for use with Secure Boot.