If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website.
Here is a simple Makefile which can be used to create the necessary keys:
# # Make all keys for UEFI SecureBoot # TOPDIR := $(shell pwd)/ .SUFFIXES: .crt all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key PK.crt KEK.crt DB.crt: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes .KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key %.cer: %.crt openssl x509 -in $< -out $@ -outform DER %-subkey.csr: openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes %-subkey.crt: %-subkey.csr KEK.crt openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365 clean: rm -f PK.* KEK.* DB.*
Naturally, you may have to modify it to suit your own particular setup but the above should give you a good starting point.