Product SiteDocumentation Site

22.7.3. Generating a Public and Private X.509 Key Pair

You need to generate a public and private X.509 key pair that will be used to sign a kernel module after it has been built. The corresponding public key will be used to authenticate the kernel module when it is loaded.
  1. The openssl tool can be used to generate a key pair that satisfies the requirements for kernel module signing in Fedora. Some of the parameters for this key generation request are best specified with a configuration file; follow the example below to create your own configuration file.
    ~]# cat << EOF > configuration_file.config
    [ req ]
    default_bits = 4096
    distinguished_name = req_distinguished_name
    prompt = no
    string_mask = utf8only
    x509_extensions = myexts
    
    [ req_distinguished_name ]
    O = Organization
    CN = Organization signing key
    emailAddress = E-mail address
    
    [ myexts ]
    basicConstraints=critical,CA:FALSE
    keyUsage=digitalSignature
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid
    EOF
  2. After you have created the configuration file, you can create an X.509 public and private key pair. The public key will be written to the public_key.der file and the private key will be written to the private_key.priv file.
    ~]# openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \ > -batch -config configuration_file.config -outform DER \ > -out public_key.der \ > -keyout private_key.priv
  3. Enroll your public key on all systems where you want to authenticate and load your kernel module.

Warning

Take proper care to guard the contents of your private key. In the wrong hands, the key could be used to compromise any system which has your public key.